XSS Stored inside Admin logs in thorsten/phpmyfaq

Valid

Reported on

Oct 30th 2022

Description

If an attacker attempt to login with an XSS payload inside the username, the login attempt will be logged on the admin dashboard. Then, if an admin visits the login logs page, it will execute the XSS.

Proof of Concept

Login with XSS inside username

Admin visits logs

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, or modifying presentation of content. An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company’s stock price or lessen consumer confidence. An XSS vulnerability on a pharmaceutical site could allow an attacker to modify dosage information resulting in an overdose. Source OWASP - Cross Site Scripting (XSS).

References

Imgur Images

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a year ago

Thorsten Rinne validated this vulnerability a year ago

xanhacks has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne

commented a year ago

Maintainer

Interesting attack vector :-)

Thorsten Rinne marked this as fixed in 3.1.9 with commit 1adf42 a year ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability will not receive a CVE

xanhacks

commented a year ago

Researcher

Yes this one was pretty interesting, perfect fix btw. Could we assign a CVE ? @admin @maintainer

Thorsten Rinne gave praise a year ago

Yes, you can. The 3.1.9 release will take some days.

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Pavlos

commented a year ago

Admin

The CVE is now in the hands of the maintainer, he will be asked if he wants one assigned on publication :)

Thorsten Rinne published this vulnerability a year ago

to join this conversation

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a year ago

Thorsten Rinne validated this vulnerability a year ago

xanhacks has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne

commented a year ago

Maintainer

Interesting attack vector :-)

Thorsten Rinne marked this as fixed in 3.1.9 with commit 1adf42 a year ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability will not receive a CVE

xanhacks

commented a year ago

Researcher

Yes this one was pretty interesting, perfect fix btw. Could we assign a CVE ? @admin @maintainer

Thorsten Rinne gave praise a year ago

Yes, you can. The 3.1.9 release will take some days.

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Pavlos

commented a year ago

Admin

The CVE is now in the hands of the maintainer, he will be asked if he wants one assigned on publication :)

Thorsten Rinne published this vulnerability a year ago

to join this conversation