Multiple Stored XSS via mail parameter in thorsten/phpmyfaq
Reported on
Apr 2nd 2023
Description
In PhpMyFaq, while submitting a question, the mail parameter is accepting unsanitized user input which leads to Stored XSS vulnerability, executing on Admin Panel (/admin/?action=question).
Proof of Concept
- Go to https://roy.demo.phpmyfaq.de/index.php?action=ask&category_id=0
- Fill up all the necessary forms except
Your email addressfield - Enter the payload in the
Your email addressfield - Submit
XSS will execute in Admin Panel (https://roy.demo.phpmyfaq.de/admin/?action=question)
PoC

Payload
"><iframe/src=javascript:prompt(3)>"@x.y
Another XSS due to same occuerence:
Similar to this, mail parameter in every function is vulnerable to XSS! While making a comment in a FAQ, capture the request via Burp Suite and change the mail parameter to below payload.
Example REQUEST:
id=1&lang=en&type=faq&user=Demouser&mail="><svg/onload=confirm(document.domain)>"@x.y&comment_text=hello
REQUEST

Payload
"><svg/onload=confirm(document.domain)>"@x.y
XSS executing on
https://roy.demo.phpmyfaq.de/admin/?action=comments
FAQ page
https://roy.demo.phpmyfaq.de/index.php?action=faq&cat=1&id=1&artlang=en
PoC 2

Impact
If an attacker can control a script that is executed in the admin's browser, then they can typically fully compromise that admin user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.
Hi, @thorsten
What's the CVE number?
Thank you for the early validation.
