Stored Xss in Question field due to lack of sanitization in Link.php in thorsten/phpmyfaq

Valid

Reported on

Jul 7th 2023


Description

Stored XSS (Cross-Site Scripting) is a type of web application vulnerability that allows an attacker to inject malicious scripts into a website or web application. Unlike reflected XSS, where the malicious script is embedded in a URL and executed immediately, stored XSS involves the persistence of the malicious script on the target website.

Proof of Concept

1. Login as admin.
2. Go to Content -> Edit or Add FAQs -> in Question field, enter XSS payload like "><h1 onmouseover=alert(1)>XSS</h1> 
3. Go to Category page that has xss payload FAQs and XSS will trigger.

#POC https://drive.google.com/file/d/1thIMmEOUPSDTThO8eouvnYnBtAn_oOiW/view?usp=sharing

Impact

Phishing, Steal tokens and session, make admin do whatever attacker wants (add new admin or reset admin pw), distribute malware, etc..

References

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 5 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 5 months ago
Thorsten Rinne validated this vulnerability 5 months ago
chonkysec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.16 with commit 40eb96 5 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jul 31st 2023
Thorsten Rinne published this vulnerability 4 months ago
to join this conversation