GHSA-9525-27VJ-C8R8

Vulnerability from github – Published: 2026-05-06 20:10 – Updated: 2026-05-06 20:10
VLAI?
Summary
phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering
Details

Summary

A stored XSS vulnerability in the comment rendering pipeline allows an authenticated user to inject JavaScript that executes for every visitor of an affected FAQ or News page. An attacker with a registered account can steal admin session cookies and take over the application.

Details

Utils::parseUrl() (phpmyfaq/src/phpMyFAQ/Utils.php, line 281) converts URLs in comment text into clickable <a> tags at render time:

$pattern = '/(https?:\/\/[^\s]+)/i';
$replacement = '<a href="$1">$1</a>';
return preg_replace($pattern, $replacement, $string);

The regex [^\s]+ matches " and <, and the URL is inserted into the href attribute with no htmlspecialchars() call. A URL with a literal " closes the attribute early and allows injecting event handlers like onmouseover.

This only reaches the sink when main.enableCommentEditor is enabled. In that path, comment text goes through sanitizeHtmlComment() instead of FILTER_SANITIZE_SPECIAL_CHARS — which encodes " — so the double-quote survives to storage. The comment is then passed through parseUrl() and rendered via {{ comment.comment|raw }} in comment.macros.twig (line 40), which disables Twig auto-escaping.

The same sink exists in the admin comment panel (admin/content/comments.twig, lines 62 and 112), so admins viewing the panel are also affected.

No Content-Security-Policy headers are set anywhere in the app.

PoC

Requirements: - main.enableCommentEditor = true (set in admin Configuration panel) - attacker has any registered user account - one FAQ entry with comments allowed exists

Steps: 1. Log in as a registered user and open a FAQ with comments. 2. Submit the following as the comment text:

   https://www.evil.com/"onmouseover="alert(document.cookie)

(www. prefix required — parseUrl strips https:// then only re-adds it for www. URLs, which is what triggers the linkification)

  1. Any user who views that FAQ page and hovers the link triggers the payload. To hit an admin, wait for them to visit the page or check the admin comments panel at /admin/content/comments.

Resulting HTML in the page:

<a href="https://www.evil.com/"onmouseover="alert(document.cookie)">
  ...
</a>

The " closes the href attribute; onmouseover becomes a real attribute.

Impact

Stored XSS affecting all visitors of the page, including admins. Session cookie theft leads to full admin account takeover. The payload looks like a normal URL and persists until manually deleted.

Severity ?
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.1"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.1.1"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmyfaq/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.1"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.1.1"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T20:10:48Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA stored XSS vulnerability in the comment rendering pipeline allows an authenticated user to inject JavaScript that executes for every visitor of an affected FAQ or News page. An attacker with a registered account can steal admin session cookies and take over the application.\n\n### Details\n\n`Utils::parseUrl()` (`phpmyfaq/src/phpMyFAQ/Utils.php`, line 281) converts URLs in comment text into clickable `\u003ca\u003e` tags at render time:\n\n    $pattern = \u0027/(https?:\\/\\/[^\\s]+)/i\u0027;\n    $replacement = \u0027\u003ca href=\"$1\"\u003e$1\u003c/a\u003e\u0027;\n    return preg_replace($pattern, $replacement, $string);\n\nThe regex `[^\\s]+` matches `\"` and `\u003c`, and the URL is inserted into the href attribute with no htmlspecialchars() call. A URL with a literal `\"` closes the attribute early and allows injecting event handlers like onmouseover.\n\nThis only reaches the sink when `main.enableCommentEditor` is enabled. In that path, comment text goes through `sanitizeHtmlComment()` instead of `FILTER_SANITIZE_SPECIAL_CHARS` \u2014 which encodes `\"` \u2014 so the double-quote survives to storage. The comment is then passed through parseUrl() and rendered via `{{ comment.comment|raw }}` in `comment.macros.twig` (line 40), which disables Twig auto-escaping.\n\nThe same sink exists in the admin comment panel (`admin/content/comments.twig`, lines 62 and 112), so admins viewing the panel are also affected.\n\nNo Content-Security-Policy headers are set anywhere in the app.\n\n### PoC\n\nRequirements:\n- main.enableCommentEditor = true (set in admin Configuration panel)\n- attacker has any registered user account\n- one FAQ entry with comments allowed exists\n\nSteps:\n1. Log in as a registered user and open a FAQ with comments.\n2. Submit the following as the comment text:\n\n       https://www.evil.com/\"onmouseover=\"alert(document.cookie)\n\n   (www. prefix required \u2014 parseUrl strips https:// then only re-adds\n   it for www. URLs, which is what triggers the linkification)\n\n3. Any user who views that FAQ page and hovers the link triggers the\n   payload. To hit an admin, wait for them to visit the page or check\n   the admin comments panel at /admin/content/comments.\n\nResulting HTML in the page:\n\n    \u003ca href=\"https://www.evil.com/\"onmouseover=\"alert(document.cookie)\"\u003e\n      ...\n    \u003c/a\u003e\n\nThe `\"` closes the href attribute; onmouseover becomes a real attribute.\n\n### Impact\n\nStored XSS affecting all visitors of the page, including admins. Session cookie theft leads to full admin account takeover. The payload looks like a normal URL and persists until manually deleted.",
  "id": "GHSA-9525-27vj-c8r8",
  "modified": "2026-05-06T20:10:48Z",
  "published": "2026-05-06T20:10:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9525-27vj-c8r8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.