Blind Stored XSS in admin panel (open question page) in thorsten/phpmyfaq

Valid

Reported on

Dec 17th 2022


Description

Blind stored XSS via any unauthorized or anonymous (visitor) user without any privileges can inject XSS payload in "Add question" page in "Your Name" input field then it will be executed in admin panel in Open Question page

Proof of Concept

https://drive.google.com/file/d/1RusFJNXtxx-bzELJZLk-ZZZH0lX6ydWp/view?usp=sharing

Impact

Lead to admin account takeover

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 5 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 5 months ago
Thorsten Rinne gave praise 5 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne validated this vulnerability 5 months ago
Mohamed Abdelhady has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.10 with commit 376d1d 5 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jan 31st 2023
Thorsten Rinne published this vulnerability 4 months ago
to join this conversation