Cross-site Scripting (XSS)

2023-02-2015:47:11

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

xss

thorsten/phpmyfaq

html entities

faq-proposal

admin account takeover

0.001 Low

EPSS

Percentile

23.5%

JSON

thorsten/phpmyfaq is vulnerable to Cross-site Scripting (XSS). The vulnerability exists due to the missing conversion for HTML entities in report.view.php, allowing an attacker to inject and execute malicious JavaScript through the FAQ-Proposal, which leads to an admin account takeover.

CPENameOperatorVersion
thorsten/phpmyfaqle3.1.10
phpmyfaq/phpmyfaqle3.1.10
thorsten/phpmyfaqle3.1.10
phpmyfaq/phpmyfaqle3.1.10

Name	Operator	Version
thorsten/phpmyfaq	le	3.1.10
phpmyfaq/phpmyfaq	le	3.1.10
thorsten/phpmyfaq	le	3.1.10
phpmyfaq/phpmyfaq	le	3.1.10

References

github.com/advisories/GHSA-jfpg-jggf-rpph

github.com/thorsten/phpmyfaq/commit/ce676eb9e9d8cb7864f36ee124e838b1ad15415f

huntr.dev/bounties/8c74ccab-0d1d-4c6b-a0fa-803aa65de04f

huntr.dev/bounties/8c74ccab-0d1d-4c6b-a0fa-803aa65de04f/

0.001 Low

EPSS

Percentile

23.5%

JSON

Related for VERACODE:39364