Blind Stored XSS in administration panel in thorsten/phpmyfaq

Valid

Reported on

Dec 15th 2022

Description

Blind stored XSS : any visitor user without any privilege can create "Proposal for a new FAQ" at the following URL https://roy.demo.phpmyfaq.de/index.php?action=add&cat=0 and add XSS payload <img src=x onerror='alert("Stored XSS")'> in "Your question" input field allows any anonymous visitor can steal admin cookies also according the previous bug "bypass captcha" i bypass the captcha to send the request then the payload alerted in administration panel

Proof of Concept

https://drive.google.com/file/d/11ow7qYIi8ciA6lOyyYDabiRHLdIGU-qr/view?usp=sharing

Impact

Lead to admin account takeover also "Secure" flag is false

Occurrences

add.php L66

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a year ago

A thorsten/phpmyfaq maintainer has acknowledged this report a year ago

Thorsten Rinne gave praise a year ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Thorsten Rinne validated this vulnerability a year ago

Mohamed Abdelhady has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.1.10 with commit 65d419 a year ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jan 31st 2023

add.php#L66 has been validated

Thorsten Rinne published this vulnerability 10 months ago

to join this conversation