logo

Database

Server side cross-site scripting In thorsten/phpmyfaq

Description

phpMyFAQ has Stored XSS in user list via admin-managed display_name

Summary

A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities (e.g., <img ...>). When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context.

Details

Root cause is the following chain:

    User-controlled input stored: attacker-provided display_name (real name) is stored in DB (often as HTML entities, e.g., <img ...>).

    Decode on read: phpmyfaq/src/phpMyFAQ/User/UserData.php decodes display_name using html_entity_decode(...) (“for backward compatibility”).

    Unsafe sink: admin user list renders the decoded value unescaped using Twig |raw:

      phpmyfaq/assets/templates/admin/user/users.twig (users table uses {{ user.display_name|raw }})

As a result, an entity-encoded payload becomes active HTML/JS when rendered in the admin user list.

Note: This report is about the display_name field + entity-decoding path. It is distinct from previously published issues focused on the email field.

PoC (minimal reproduction)

Preconditions / configuration

    Registration enabled (security.enableRegistration = true).

    Attacker does not need admin privileges.

    Admin must view the admin user list page.

Steps

    As an unauthenticated user, open the registration page and create a new account.

    Set the display name / real name field to the following entity-encoded payload:

      <img src=x onerror=alert(1)>

    Complete registration.

    As an administrator, open the admin user list (example):

      http://127.0.0.1:8080/admin/user/list

    Observe JavaScript execution in the admin’s browser (e.g., alert(1) triggers) and the payload is rendered as an actual <img> element.

Impact

Stored XSS in the admin context can enable:

    admin session compromise (depending on cookie flags),

    CSRF token exfiltration and privileged admin actions,

    UI redress/phishing within the admin panel.

Evidence (what I observed)

    Stored DB value (entities): &lt;img src=x onerror=alert(1)&gt;

    Rendered HTML in admin user list: <img src="x" onerror="alert(1)">

Affected versions

Confirmed by code inspection

    4.0.14

    4.0.15

      Both contain html_entity_decode for display_name in UserData.php and {{ user.display_name|raw }} in users.twig.

Confirmed by live reproduction

    4.1.0-RC (tested on current source checkout)

Environment (tested)

    Host OS: macOS 15.6.1 (24G90)

    Web container OS: Debian GNU/Linux 12 (bookworm)

    PHP: 8.4.5RC1

    DB: MariaDB 11.6.2

    phpMyFAQ source commit (tested): bca1c4192c2ad61a3595b4289d9551a51e0e9848

Contact / Credit

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-689512. NVD-2025-689513. OSV-2025-689514. GHSA-jv8r-hv7q-p6vc5. GCVE-2025-68951

References

1. https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc2. https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c3703. https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.