There is a stored XSS in the ‘adminlog’ functionality. E.g. the page http://phpmyfaq.local/admin/?action=adminlog shows (failed) login attempts. If a user with the username ‘<script>alert(1);</script>’ tries to log in, it gets logged and displayed on the adminlog unsanitized.
<script>alert(1);</script>
after the failed login attempt, visit
You will notice the script tags being injected:
Invalid user or password.\nLogin: <script>alert(1);</script>\nErrors: Specified login could not be found.
sanitize $loggingValue[‘text’] in https://github.com/thorsten/phpMyFAQ/blob/5bd0f79d085feb255d893a67d2fcdac51f4cd2ec/phpmyfaq/admin/stat.adminlog.php#L123 before serving it to the admin user.