stored XSS through Question sending in thorsten/phpmyfaq

Valid

Reported on

Jan 23rd 2023

Dear Ladies and Gentlemen,

First of all, thank you for your time and effort in reading my Report.

While doing the Penetration Test my Brother Ahmed Hassan (hassanahmed8199@gmail.com) and I were able to identify another stored XSS Cross-Site-Scripting Injection Vulnerability.

The Process of the Vulnerability:

Login
Go to https://roy.demo.phpmyfaq.de/index.php?action=ask&category_id=0
Any User will be able to submit questions that need to be verified by the Administrator.
As soon as the Administrator will review the Question and accept it the Javascript Code will work after refreshment.
The User can submit JavaScript Code and it will run as Code.
Type any kind of JavaScript Code like <script>alert(‘1’)</script>
The Attacker can inject JavaScript Code and steal the Admin Cookies

Through this, any Attacker can inject JavaScript Code and use further Vulnerabilities to use other Exploitation Steps.

Finally, I want to thank you for your time and effort, and hope to hear from you soon.

Best regards Josef Hassan & Ahmed Hassan

Impact

Dear Ladies and Gentlemen,

First of all, thank you for your time and effort in reading my Report.

While doing the Penetration Test my Brother Ahmed Hassan (hassanahmed8199@gmail.com) and I were able to identify another stored XSS Cross-Site-Scripting Injection Vulnerability.

The Process of the Vulnerability:

Login
Go to https://roy.demo.phpmyfaq.de/index.php?action=ask&category_id=0
Any User will be able to submit questions that need to be verified by the Administrator.
As soon as the Administrator will review the Question and accept it the Javascript Code will work after refreshment.
The User can submit JavaScript Code and it will run as Code.
Type any kind of JavaScript Code like <script>alert(‘1’)</script>
The Attacker can inject JavaScript Code and steal the Admin Cookies

Through this, any Attacker can inject JavaScript Code and use further Vulnerabilities to use other Exploitation Steps.

Finally, I want to thank you for your time and effort, and hope to hear from you soon.

Best regards Josef Hassan & Ahmed Hassan

References

Question - Stored XSS by Josef and Ahmed Proof of Concept Video

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 months ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 2 months ago

A thorsten/phpmyfaq maintainer has acknowledged this report 2 months ago

Thorsten Rinne validated this vulnerability 2 months ago

josefjku has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.1.11 with commit b76d58 2 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Feb 28th 2023

Thorsten Rinne published this vulnerability 2 months ago

to join this conversation