Listen to this Post
How CVE-2024-XXXX works:
The vulnerability resides in phpMyFAQ’s search result template search.twig, which uses Twig’s `|raw` filter on `result.question` and result.answerPreview. This disables auto-escaping, allowing raw HTML/JavaScript injection. An attacker with FAQ editor/contributor privileges stores an XSS payload encoded as HTML entities (e.g., <svg onload=…>). The search pipeline applies `strip_tags()` – which sees no real tags because entities are not `<` or `>` – then `html_entity_decode()` restores the original tags. The restored payload is passed to `|raw` and executes in every visitor’s browser, including administrators, upon searching for a keyword matching the poisoned FAQ. This bypasses the patch for GHSA-cv2g-8cj8-vgc7 and affects versions prior to the yet-unreleased fix. Seven other `|raw` instances in `search.twig` amplify the attack surface. The issue is not just XSS but a persistent, cross‑privilege injection that exfiltrates session cookies.
DailyCVE form:
Platform: phpMyFAQ
Version: ≤4.1.1
Vulnerability: Stored XSS
Severity: Critical
date: 2024-08-22
Prediction: 2024-10-15
What Undercode Say:
Check for vulnerable |raw usage in search.twig
grep -n '|raw' /path/to/phpmyfaq/assets/templates/default/search.twig
Simulate html_entity_decode bypass
echo '<svg onload=alert(1)>' | php -r 'echo html_entity_decode(strip_tags(file_get_contents("php://stdin")), ENT_COMPAT, "UTF-8");'
Audit logSearchTerm() for missing sanitization
grep -A5 'function logSearchTerm' /path/to/phpmyfaq/src/phpMyFAQ/Search.php
Exploit:
- Attacker with editor role injects `
- Victim searches for keyword → payload decodes → XSS executes → session cookie sent to attacker.
- Alternative payloads:
<details open ontoggle=alert(document.cookie)>, `