Stored XSS on Configuration Version in thorsten/phpmyfaq


Reported on

Feb 12th 2023


In a form version that appears to have no validation, it means that the website or application is not properly checking user inputs for malicious code before storing it in the database. This lack of validation allows an attacker to inject their own malicious script, which can then be executed by other users who access the affected page. This can lead to sensitive information being stolen, unauthorized actions being taken, and a variety of other security risks.

Proof of Concept

1.Go to
2.Save Configuration and intercept
3.Edit main.currentVersion with xss payload </script><script>alert('1337')</</script><script>alert('1337')</script>script>
4.Forward request This xss will trigger in every domain that show version of phpmyfaq


XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 2 months ago
Thorsten Rinne
2 months ago


@isdkrisna Why should someone with admin permission use this weak way of harming the users?

2 months ago


i thought that the version couldn't be edited, so I considered it a potential vulnerability. If you are not concerned about this bug/vulnerability, please mark it as informative.

Thorsten Rinne gave praise 2 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne validated this vulnerability 2 months ago
isdkrisna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.12 with commit 215657 2 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
Thorsten Rinne published this vulnerability 18 hours ago
to join this conversation