4 matches found
GHSA-JV8R-HV7Q-P6VC phpMyFAQ has Stored XSS in user list via admin-managed display_name
Summary A stored cross-site scripting XSS vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities e.g., img .... When an administrator views the admin user list, the payload is decoded server-si...
CVE-2025-68951 phpMyFAQ has stored XSS in admin "List of users" via display_name HTML entity decoding (html_entity_decode) + Twig |raw
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting XSS vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an...
CVE-2025-68951 phpMyFAQ has stored XSS in admin "List of users" via display_name HTML entity decoding (html_entity_decode) + Twig |raw
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting XSS vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an...
CVE-2025-68951
CVE-2025-68951 affects phpMyFAQ. Versions 4.0.14 and 4.0.15 contain a stored XSS vulnerability where an attacker’s HTML entities in a display_name are decoded server-side and rendered unescaped in the admin user list (Twig |raw), enabling script execution in an administrator’s context. A patch ex...