Blind Stored XSS in admin panel (open question page) in thorsten/phpmyfaq
Valid
Reported on
Dec 17th 2022
Description
Blind stored XSS via any unauthorized or anonymous (visitor) user without any privileges can inject XSS payload in "Add question" page in "Your Name" input field then it will be executed in admin panel in Open Question page
Proof of Concept
https://drive.google.com/file/d/1RusFJNXtxx-bzELJZLk-ZZZH0lX6ydWp/view?usp=sharing
Impact
Lead to admin account takeover
We are processing your report and will contact the
thorsten/phpmyfaq
team within 24 hours.
5 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher's credibility has increased: +7
Thorsten Rinne
has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Jan 31st 2023
to join this conversation
