Описание
phpMyFAQ has Stored XSS in user list via admin-managed display_name
Summary
A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities (e.g., <img ...>). When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context.
Details
Root cause is the following chain:
- User-controlled input stored: attacker-provided
display_name(real name) is stored in DB (often as HTML entities, e.g.,<img ...>). - Decode on read:
phpmyfaq/src/phpMyFAQ/User/UserData.phpdecodesdisplay_nameusinghtml_entity_decode(...)(“for backward compatibility”). - Unsafe sink: admin user list renders the decoded value unescaped using Twig
|raw:phpmyfaq/assets/templates/admin/user/users.twig(users table uses{{ user.display_name|raw }})
As a result, an entity-encoded payload becomes active HTML/JS when rendered in the admin user list.
Note: This report is about the display_name field + entity-decoding path. It is distinct from previously published issues focused on the email field.
PoC (minimal reproduction)
Preconditions / configuration
- Registration enabled (
security.enableRegistration = true). - Attacker does not need admin privileges.
- Admin must view the admin user list page.
Steps
- As an unauthenticated user, open the registration page and create a new account.
- Set the display name / real name field to the following entity-encoded payload:
<img src=x onerror=alert(1)>
- Complete registration.
- As an administrator, open the admin user list (example):
http://127.0.0.1:8080/admin/user/list
- Observe JavaScript execution in the admin’s browser (e.g.,
alert(1)triggers) and the payload is rendered as an actual<img>element.
Impact
Stored XSS in the admin context can enable:
- admin session compromise (depending on cookie flags),
- CSRF token exfiltration and privileged admin actions,
- UI redress/phishing within the admin panel.
Evidence (what I observed)
- Stored DB value (entities):
<img src=x onerror=alert(1)> - Rendered HTML in admin user list:
<img src="x" onerror="alert(1)">
Affected versions
Confirmed by code inspection
- 4.0.14
- 4.0.15
- Both contain
html_entity_decodefordisplay_nameinUserData.phpand{{ user.display_name|raw }}inusers.twig.
- Both contain
Confirmed by live reproduction
- 4.1.0-RC (tested on current source checkout)
Environment (tested)
- Host OS: macOS 15.6.1 (24G90)
- Web container OS: Debian GNU/Linux 12 (bookworm)
- PHP: 8.4.5RC1
- DB: MariaDB 11.6.2
- phpMyFAQ source commit (tested): bca1c4192c2ad61a3595b4289d9551a51e0e9848
Contact / Credit
- Contact: jeongwoolee340@gmail.com
Пакеты
thorsten/phpmyfaq
>= 4.0.14, < 4.0.16
4.0.16
Связанные уязвимости
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. Version 4.0.16 contains a patch for the issue.