Stored XSS in admin panel (users page) in thorsten/phpmyfaq
Valid
Reported on
Dec 19th 2022
Description
Stored XSS in admin panel in users page via inject XSS payload in Name input field by any user to affect the admin panel
Proof of Concept
https://drive.google.com/file/d/1EsYq3R6GRAdEbpZxp2RwQwGr4G8fJGB7/view?usp=sharing
Impact
Lead to admin account takeover
We are processing your report and will contact the
thorsten/phpmyfaq
team within 24 hours.
5 months ago
The researcher's credibility has increased: +7
Thorsten Rinne
has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Jan 31st 2023
to join this conversation
