phpMyFAQ Stored Cross-Site Scripting Vulnerability in User Display Name

A stored cross-site scripting vulnerability has been identified in phpMyFAQ versions 4.0.14 and 4.0.15. This vulnerability allows an attacker to execute arbitrary JavaScript in the browser of an administrator. The issue arises when a user is registered with a display name that includes HTML entities. When an administrator accesses the user list, the payload is decoded on the server and rendered without proper escaping, leading to script execution in the context of the admin. phpMyFAQ version 4.0.16 has addressed this vulnerability.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting in the admin context, which could lead to compromising an admin session, exfiltrating CSRF tokens, performing privileged actions as an admin, or facilitating UI redress attacks within the admin panel.

Reproduction

To reproduce this vulnerability, register a new user account with a display name containing HTML entities, such as an image tag with an 'onerror' event. After completing the registration, an administrator can view the user list, where the injected JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to phpMyFAQ version 4.0.16 or later to address this vulnerability.