Lucene search
Tsarsecurity93F981A3-231D-460D-A239-BB960E8C2FDCHistoryFeb 16, 2023 - 1:37 a.m.
Stored XSS in the adminlog functionality.
2023-02-1601:37:04
tsarsecurity
www.huntr.dev
8
stored xss
adminlog
unsanitized input
phpmyfaq
admin user
bug bounty
0.001 Low
EPSS
Percentile
23.5%
Description
There is a stored XSS in the ‘adminlog’ functionality. E.g. the page http://phpmyfaq.local/admin/?action=adminlog shows (failed) login attempts. If a user with the username ‘<script>alert(1);</script>’ tries to log in, it gets logged and displayed on the adminlog unsanitized.
Proof of Concept
- visit http://phpmyfaq.tld/admin/index.php and try to login with
<script>alert(1);</script>
after the failed login attempt, visit
- (as admin) http://phpmyfaq.tld/admin/?action=adminlog to trigger the XSS.
You will notice the script tags being injected:
Invalid user or password.\nLogin: <script>alert(1);</script>\nErrors: Specified login could not be found.
Fix
sanitize $loggingValue[‘text’] in https://github.com/thorsten/phpMyFAQ/blob/5bd0f79d085feb255d893a67d2fcdac51f4cd2ec/phpmyfaq/admin/stat.adminlog.php#L123 before serving it to the admin user.
Related
github
github
osv
osv
CVE-2023-1878
2023-04-05 17:15:07
prion
prion
Cross site scripting
2023-04-05 17:15:00
veracode
veracode
Stored Cross-site Scripting (XSS)
2023-04-20 05:35:50
cve
cve
CVE-2023-1878
2023-04-05 17:15:07
cvelist
cvelist
CVE-2023-1878 Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq
2023-04-05 00:00:00
nvd
nvd
CVE-2023-1878
2023-04-05 17:15:07
openvas
openvas
phpMyFAQ < 3.1.12 Multiple Vulnerabilities
2023-04-04 00:00:00