Blind Stored XSS in administration panel in thorsten/phpmyfaq
Valid
Reported on
Dec 15th 2022
Description
Blind stored XSS : any visitor user without any privilege can create "Proposal for a new FAQ" at the following URL https://roy.demo.phpmyfaq.de/index.php?action=add&cat=0 and add XSS payload <img src=x onerror='alert("Stored XSS")'> in "Your question" input field allows any anonymous visitor can steal admin cookies also according the previous bug "bypass captcha" i bypass the captcha to send the request then the payload alerted in administration panel
Proof of Concept
https://drive.google.com/file/d/11ow7qYIi8ciA6lOyyYDabiRHLdIGU-qr/view?usp=sharing
Impact
Lead to admin account takeover also "Secure" flag is false
Occurrences
We are processing your report and will contact the
thorsten/phpmyfaq
team within 24 hours.
5 months ago
We have contacted a member of the
thorsten/phpmyfaq
team and are waiting to hear back
5 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher's credibility has increased: +7
Thorsten Rinne
has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Jan 31st 2023
add.php#L66
has been validated
to join this conversation
