thorsten/phpmyfaq prior to 3.1.12 is vulnerable to stored cross-site scripting (XSS) because it fails to sanitize user input in the FAQ site while generating an HTML Export. This has been fixed in 3.1.12.

**thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via HTML export**

Moderate severity GitHub Reviewed Published Apr 5, 2023 to the GitHub Advisory Database • Updated Apr 6, 2023

GHSA-8p48-ghv5-7qq7: thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via HTML export

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.

**This is a security release, upgrading is recommended**

This release fixes several security issues that has been recently discovered. Update is **recommended!**

You can download the **GLPI 10.0.7 archive** on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

*   \[SECURITY - High\] SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
*   \[SECURITY - High\] Account takeover by authenticated user (CVE-2023-28632).
*   \[SECURITY - High\] SQL injection through dynamic reports (CVE-2023-28838).
*   \[SECURITY - Moderate\] Stored XSS through dashboard administration (CVE-2023-28852).
*   \[SECURITY - Moderate\] Stored XSS on external links (CVE-2023-28636).
*   \[SECURITY - Moderate\] Reflected XSS in search pages (CVE-2023-28639).
*   \[SECURITY - Moderate\] Privilege Escalation from technician to super-admin (CVE-2023-28634).
*   \[SECURITY - Low\] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

*   \[SECURITY\] Optional GLPI router to be able to use a safer web server root directory.
*   \[FEATURE\] Support of SMTP OAuth authentication.
*   \[FEATURE\] Improved inventory file upload feature.
*   \[FIX\] Many fixes and improvements on native inventory.
*   \[FIX\] Some bugs on PHP 8.2.
*   \[FIX\] Caching issues on entities.
*   \[FIX\] Boolean FullText operator not working on knowledge base search.
*   \[FIX\] Unexpected search results when using negative condition on ticket actors.
*   \[FIX\] Issues with LDAP filters/DN.
*   \[FIX\] Unexpected results when searching on knowledge base categories.

The **full changelog is available** for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

CVE-2023-28849: Release 10.0.7 · glpi-project/glpi

The Order GLPI plugin allows users to manage order management within GLPI. Starting with version 1.8.0 and prior to versions 2.7.7 and 2.10.1, an authenticated user that has access to standard interface can craft an URL that can be used to execute a system command. Versions 2.7.7 and 2.10.1 contain a patch for this issue. As a workaround, delete the `ajax/dropdownContact.php` file from the plugin.

**Package**

plugin/order (glpi)

**Affected versions**

\>= 1.8.0

**Patched versions**

2.7.7, 2.10.1

**Description**

**Impact**

An authenticated user that has access to standard interface can craft an URL that can be used to execute a system command.

**Patches**

Upgrade to 2.10.1.

**Workarounds**

Delete the ajax/dropdownContact.php file from the plugin.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

CVE-2023-29006: RCE from authenticated user

The WCFM Frontend Manager plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 6.6.0 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more. There were hundreds of AJAX endpoints affected.

CVE-2022-4937: Changeset 2630745 for wc-frontend-manager – WordPress Plugin Repository

The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and privilege escalation (via the wp_ajax_wcfm_vendor_store_online AJAX action).

Timestamp:

11/16/2021 01:04:41 PM (17 months ago)

wclovers

Message:

Ajax calls user permission check imposed  

Location:

wc-multivendor-marketplace

Files:

  

*   tags/3.4.12/core/class-wcfmmp-media.php (2 diffs)
*   tags/3.4.12/core/class-wcfmmp-product-multivendor.php (2 diffs)
*   tags/3.4.12/core/class-wcfmmp-reviews.php (3 diffs)
*   trunk/core/class-wcfmmp-media.php (2 diffs)
*   trunk/core/class-wcfmmp-product-multivendor.php (2 diffs)
*   trunk/core/class-wcfmmp-reviews.php (3 diffs)

**Legend:**

Unmodified

Added

Removed

*   **wc-multivendor-marketplace/tags/3.4.12/core/class-wcfmmp-media.php**
    
    r2629651
    
    r2630696
    
     
    
    189
    
    189
    
        }
    
    190
    
    190
    
       
    
     
    
    191
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    192
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    193
    
                wp\_die();
    
     
    
    194
    
            }
    
     
    
    195
    
       
    
    191
    
    196
    
        $mediaid = absint($\_POST\['mediaid'\]);
    
    192
    
    197
    
       
    
    …
    
    …
    
     
    
    215
    
    220
    
            wp\_die();
    
    216
    
    221
    
        }
    
     
    
    222
    
       
    
     
    
    223
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    224
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    225
    
                wp\_die();
    
     
    
    226
    
            }
    
    217
    
    227
    
       
    
    218
    
    228
    
        if( isset($\_POST\['selected\_media'\]) ) {
    
*   **wc-multivendor-marketplace/tags/3.4.12/core/class-wcfmmp-product-multivendor.php**
    
    r2629651
    
    r2630696
    
     
    
    347
    
    347
    
        global $WCFM, $WCFMmp, $wp, $WCFM\_Query, $\_POST, $wpdb;
    
    348
    
    348
    
       
    
     
    
    349
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    350
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    351
    
                wp\_die();
    
     
    
    352
    
            }
    
     
    
    353
    
       
    
    349
    
    354
    
        if( !class\_exists( 'WC\_Admin\_Duplicate\_Product' ) ) {
    
    350
    
    355
    
                include( WC\_ABSPATH . 'includes/admin/class-wc-admin-duplicate-product.php' );
    
    …
    
    …
    
     
    
    383
    
    388
    
      function wcfmmp\_product\_multivendor\_bulk\_clone() {
    
    384
    
    389
    
        global $WCFM, $WCFMmp, $wp, $WCFM\_Query, $\_POST, $wpdb;
    
     
    
    390
    
       
    
     
    
    391
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    392
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    393
    
                wp\_die();
    
     
    
    394
    
            }
    
    385
    
    395
    
       
    
    386
    
    396
    
            if ( empty( $\_POST\['product\_ids'\] ) ) {
    
*   **wc-multivendor-marketplace/tags/3.4.12/core/class-wcfmmp-reviews.php**
    
    r2629651
    
    r2630696
    
     
    
    279
    
    279
    
        }
    
    280
    
    280
    
       
    
     
    
    281
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    282
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    283
    
                wp\_die();
    
     
    
    284
    
            }
    
     
    
    285
    
       
    
    281
    
    286
    
        $reviewid = absint($\_POST\['reviewid'\]);
    
    282
    
    287
    
        $status   = absint($\_POST\['status'\]);
    
    …
    
    …
    
     
    
    401
    
    406
    
        }
    
    402
    
    407
    
       
    
     
    
    408
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    409
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    410
    
                wp\_die();
    
     
    
    411
    
            }
    
     
    
    412
    
       
    
    403
    
    413
    
        $reviewid = absint($\_POST\['reviewid'\]);
    
    404
    
    414
    
            $status   = absint($\_POST\['status'\]);
    
    …
    
    …
    
     
    
    429
    
    439
    
            wp\_die();
    
    430
    
    440
    
        }
    
     
    
    441
    
       
    
     
    
    442
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    443
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    444
    
                wp\_die();
    
     
    
    445
    
            }
    
    431
    
    446
    
       
    
    432
    
    447
    
        $reviewid = absint($\_POST\['reviewid'\]);
    
*   **wc-multivendor-marketplace/trunk/core/class-wcfmmp-media.php**
    
    r2628276
    
    r2630696
    
     
    
    189
    
    189
    
        }
    
    190
    
    190
    
       
    
     
    
    191
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    192
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    193
    
                wp\_die();
    
     
    
    194
    
            }
    
     
    
    195
    
       
    
    191
    
    196
    
        $mediaid = absint($\_POST\['mediaid'\]);
    
    192
    
    197
    
       
    
    …
    
    …
    
     
    
    215
    
    220
    
            wp\_die();
    
    216
    
    221
    
        }
    
     
    
    222
    
       
    
     
    
    223
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    224
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    225
    
                wp\_die();
    
     
    
    226
    
            }
    
    217
    
    227
    
       
    
    218
    
    228
    
        if( isset($\_POST\['selected\_media'\]) ) {
    
*   **wc-multivendor-marketplace/trunk/core/class-wcfmmp-product-multivendor.php**
    
    r2628276
    
    r2630696
    
     
    
    347
    
    347
    
        global $WCFM, $WCFMmp, $wp, $WCFM\_Query, $\_POST, $wpdb;
    
    348
    
    348
    
       
    
     
    
    349
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    350
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    351
    
                wp\_die();
    
     
    
    352
    
            }
    
     
    
    353
    
       
    
    349
    
    354
    
        if( !class\_exists( 'WC\_Admin\_Duplicate\_Product' ) ) {
    
    350
    
    355
    
                include( WC\_ABSPATH . 'includes/admin/class-wc-admin-duplicate-product.php' );
    
    …
    
    …
    
     
    
    383
    
    388
    
      function wcfmmp\_product\_multivendor\_bulk\_clone() {
    
    384
    
    389
    
        global $WCFM, $WCFMmp, $wp, $WCFM\_Query, $\_POST, $wpdb;
    
     
    
    390
    
       
    
     
    
    391
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    392
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    393
    
                wp\_die();
    
     
    
    394
    
            }
    
    385
    
    395
    
       
    
    386
    
    396
    
            if ( empty( $\_POST\['product\_ids'\] ) ) {
    
*   **wc-multivendor-marketplace/trunk/core/class-wcfmmp-reviews.php**
    
    r2629651
    
    r2630696
    
     
    
    279
    
    279
    
        }
    
    280
    
    280
    
       
    
     
    
    281
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    282
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    283
    
                wp\_die();
    
     
    
    284
    
            }
    
     
    
    285
    
       
    
    281
    
    286
    
        $reviewid = absint($\_POST\['reviewid'\]);
    
    282
    
    287
    
        $status   = absint($\_POST\['status'\]);
    
    …
    
    …
    
     
    
    401
    
    406
    
        }
    
    402
    
    407
    
       
    
     
    
    408
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    409
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    410
    
                wp\_die();
    
     
    
    411
    
            }
    
     
    
    412
    
       
    
    403
    
    413
    
        $reviewid = absint($\_POST\['reviewid'\]);
    
    404
    
    414
    
            $status   = absint($\_POST\['status'\]);
    
    …
    
    …
    
     
    
    429
    
    439
    
            wp\_die();
    
    430
    
    440
    
        }
    
     
    
    441
    
       
    
     
    
    442
    
        if ( !current\_user\_can( 'manage\_woocommerce' ) && !current\_user\_can( 'wcfm\_vendor' ) && !current\_user\_can( 'shop\_staff' ) ) {
    
     
    
    443
    
            wp\_send\_json\_error( esc\_html\_\_( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );
    
     
    
    444
    
                wp\_die();
    
     
    
    445
    
            }
    
    431
    
    446
    
       
    
    432
    
    447
    
        $reviewid = absint($\_POST\['reviewid'\]);
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-4935: Changeset 2630696 for wc-multivendor-marketplace – WordPress Plugin Repository

Business Logic Errors in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

@@ -8,12 +8,12 @@

\* v. 2.0. If a copy of the MPL was not distributed with this file, You can

\* obtain one at http://mozilla.org/MPL/2.0/.

\*

\* @package phpMyFAQ

\* @author Thorsten Rinne <thorsten@phpmyfaq.de>

\* @package phpMyFAQ

\* @author Thorsten Rinne <thorsten@phpmyfaq.de>

\* @copyright 2003-2022 phpMyFAQ Team

\* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0

\* @link https://www.phpmyfaq.de

\* @since 2003-02-23

\* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0

\* @link https://www.phpmyfaq.de

\* @since 2003-02-23

\*/

  

use Abraham\\TwitterOAuth\\TwitterOAuth;

@@ -41,7 +41,7 @@

exit();

}

  

if ($user\->perm\->hasPermission($user\->getUserId(), 'edit\_faq') || $user\->perm\->hasPermission($user\->getUserId(), 'add\_faq')) {

if ($user\->perm\->hasPermission($user\->getUserId(), 'add\_faq')) {

// FAQ data

$dateStart = Filter::filterInput(INPUT\_POST, 'dateStart', FILTER\_UNSAFE\_RAW);

$dateEnd = Filter::filterInput(INPUT\_POST, 'dateEnd', FILTER\_UNSAFE\_RAW);

CVE-2023-1887: fix: corrected wrong check on user permission · thorsten/phpMyFAQ@400d9cd

Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

Hello,

I identified a CAPTCHA Bypass after trying many Posts in the Comments Section.

Lets see :)

sent successfully!

let's see the comments

Comments are available

The Question Form is also vulnerable for Captcha Bypass please check it also too.

Thank you

**Impact**

Hello,

I identified a CAPTCHA Bypass after trying many Posts in the Comments Section.

Lets see :)

sent successfully!

let's see the comments

Comments are available

The Question Form is also vulnerable for Captcha Bypass please check it also too.

Thank you

CVE-2023-1886: Captcha Bypass allows sending unlimited Comments in phpmyfaq

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

**Description**

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

**Proof of Concept**

Code That has a Vulnerability:

                // Updates an existing category
                if ($action === 'updatecategory' && Token::getInstance()->verifyToken('update-category', $csrfToken)) {
                    $category = new Category($faqConfig, [], false);
                    $category->setUser($currentAdminUser);
                    $category->setGroups($currentAdminGroups);
    
                    $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                    $categoryId = Filter::filterInput(INPUT_POST, 'id', FILTER_VALIDATE_INT);
                    $categoryLang = Filter::filterInput(INPUT_POST, 'catlang', FILTER_UNSAFE_RAW);
                    $existingImage = Filter::filterInput(INPUT_POST, 'existing_image', FILTER_UNSAFE_RAW);
                    $image = count($uploadedFile) ? $categoryImage->getFileName(
                        $categoryId,
                        $categoryLang
                    ) : $existingImage;
    
                    $categoryData = [
                        'id' => $categoryId,
                        'lang' => $categoryLang,
                        'parent_id' => $parentId,
                        'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_UNSAFE_RAW),
                        'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_UNSAFE_RAW),
                        'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                        'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                        'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                        'image' => $image,
                        'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT),
                    ];
    

Code without that vulnerability:

                // Save a new category
                if ($action === 'savecategory' && Token::getInstance()->verifyToken('save-category', $csrfToken)) {
                    $category = new Category($faqConfig, [], false);
                    $category->setUser($currentAdminUser);
                    $category->setGroups($currentAdminGroups);
                    $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                    $categoryId = $faqConfig->getDb()->nextId(Database::getTablePrefix() . 'faqcategories', 'id');
                    $categoryLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_UNSAFE_RAW);
                    $categoryData = [
                        'lang' => $categoryLang,
                        'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS),
                        'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_SANITIZE_SPECIAL_CHARS),
                        'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                        'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                        'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                        'image' => $categoryImage->getFileName($categoryId, $categoryLang),
                        'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT)
                    ];
    

Request:

    POST /admin/?action=updatecategory HTTP/2
    Host: roy.demo.phpmyfaq.de
    Cookie: PHPSESSID=EDITthis; pmf_sid=11; cookieconsent_status=dismiss
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------14208207025422371582565391486
    Content-Length: 1934
    Origin: https://roy.demo.phpmyfaq.de
    Referer: https://roy.demo.phpmyfaq.de/admin/?action=editcategory&cat=1
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    Te: trailers
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="id"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="catlang"
    
    en
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="parent_id"
    
    0
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="csrf"
    
    EDITthis
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="existing_image"
    
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="name"
    
    <script>alert(1)</script>
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="description"
    
    </textarea><script>alert(2)</script>
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="active"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="show_home"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="image"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="user_id"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="grouppermission"
    
    all
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="userpermission"
    
    all
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="restricted_users"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="submit"
    
    
    -----------------------------14208207025422371582565391486--
    

**Impact**

The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs

CVE-2023-1879: Stored XSS @ updatecategory in phpmyfaq

@@ -21,6 +21,7 @@

use phpMyFAQ\\Category\\CategoryRelation;

use phpMyFAQ\\Database;

use phpMyFAQ\\Filter;

use phpMyFAQ\\Strings;

  

if (!defined('IS\_VALID\_PHPMYFAQ')) {

http\_response\_code(400);

@@ -319,9 +320,10 @@

foreach ($category\->getCategoryTree() as $id => $cat) {

// CategoryHelper translated in this language?

if ($cat\['lang'\] == $lang) {

$categoryName = $cat\['name'\];

$categoryName = Strings::htmlentities($cat\['name'\]);

} else {

$categoryName = $cat\['name'\] . ' (' . $languageCodes\[strtoupper($cat\['lang'\])\] . ')';

$categoryName = Strings::htmlentities($cat\['name'\]) .

' (' . $languageCodes\[strtoupper($cat\['lang'\])\] . ')';

}

CVE-2023-1885: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@fecc803

Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

@@ -1258,6 +1258,39 @@ public function hasTranslation(int $recordId, string $recordLang): bool return false; }  
public function isActive(int $recordId, string $recordLang, string $commentType = 'faq'): bool { if ('news' === $commentType) { $table = 'faqnews'; } else { $table = 'faqdata'; }  
$query = sprintf( " SELECT active FROM %s%s WHERE id = %d AND lang = '%s'", Database::getTablePrefix(), $table, $recordId, $this\->config\->getDb()->escape($recordLang) );  
$result = $this\->config\->getDb()->query($query);  
if ($row = $this\->config\->getDb()->fetchObject($result)) { return !(($row\->active === 'y' || $row\->active === 'yes')); } else { return true; } }  
/\*\* \* Checks, if comments are disabled for the FAQ record. \* @@ -1268,7 +1301,7 @@ public function hasTranslation(int $recordId, string $recordLang): bool \*/ public function commentDisabled(int $recordId, string $recordLang, string $commentType = 'faq'): bool { if ('news' == $commentType) { if ('news' ==\= $commentType) { $table = 'faqnews'; } else { $table = 'faqdata';

Tag

#php