NetbyteSEC Security Advisory - Multiple Stored XSS vulnerability in phpMyFAQ
Title: Multiple Stored XSS Vulnerabilities in phpMyFAQ
Advisory ID: NBS-2023-0001
Product: phpMyFAQ
Vulnerable Version: prior to 3.1.9
Fixed Version: 3.1.10
CVE ID: CVE-2023-0313
Vulnerable Version: prior to 3.1.9
Fixed Version: 3.1.10
CVE ID: CVE-2023-0313
Homepage: https://www.phpmyfaq.de/
Date of Discovery: Dec 13th 2022
Author: Baharuddin Zulkifli | NetbyteSEC
Author: Baharuddin Zulkifli | NetbyteSEC
Product Description
phpMyFAQ is an open-source FAQ web application with a completely database-driven FAQ system. It also supports various databases to store all the data such as MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, and SQLite3.
Source: https://github.com/thorsten/phpMyFAQ
Vulnerability
1) Stored Cross Site Scripting (XSS)
CVE-ID: CVE-2023-0313
Risk: Medium
Risk: Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Reference: https://huntr.dev/bounties/bc27e84b-1f91-4e1b-a78c-944edeba8256/
Description:
Cross-Site Scripting vulnerability in phpMyFAQ v3.1.9 allows attackers to execute arbitrary javascript code in a victim's browser which affects multiple modules (User Management, Category, FAQ News, and Configuration Settings).
Description:
Cross-Site Scripting vulnerability in phpMyFAQ v3.1.9 allows attackers to execute arbitrary javascript code in a victim's browser which affects multiple modules (User Management, Category, FAQ News, and Configuration Settings).
Proof of Concept
 | ||
| Figure 1: HTTP POST request |
Snippet above shows an HTTP request that contains POST method for sending user information on the user management module. The message body of the request is in JSON format which the realName field contains an HTML image tag that includes an onerror attribute that executes a Javascript payload that would trigger an alert displaying the domain of the website.
Solution
Update to the phpMyFAQ version v3.1.10Timeline
2022-12-13: Submitting private disclosure report on platform https://huntr.dev/2022-12-14: Developer acknowledged the report
2022-12-16: The developer validates the vulnerability
2023-01-06: The developer notify this vulnerability has been fixed in the next release v3.1.10
2023-01-16: Public release of security advisory
2023-01-06: The developer notify this vulnerability has been fixed in the next release v3.1.10
2023-01-16: Public release of security advisory
NetByteSEC Sdn Bhd
===================
NetbyteSEC Sdn Bhd was incorporated under the Malaysian Companies Act 1965 in 2013.
NetbyteSEC is privately owned and is based in Cyberjaya, Selangor, Malaysia.
More information about NetbyteSEC Sdn Bhd can be found at:
https://www.netbytesec.com