CVE-2025-68951
phpMyFAQ has Stored XSS in user list via admin-managed display_name
Description
### Summary A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose **display name** contains HTML entities (e.g., `<img ...>`). When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. ### Details Root cause is the following chain: - **User-controlled input stored**: attacker-provided `display_name` (real name) is stored in DB (often as HTML entities, e.g., `<img ...>`). - **Decode on read**: `phpmyfaq/src/phpMyFAQ/User/UserData.php` decodes `display_name` using `html_entity_decode(...)` (“for backward compatibility”). - **Unsafe sink**: admin user list renders the decoded value unescaped using Twig `|raw`: - `phpmyfaq/assets/templates/admin/user/users.twig` (users table uses `{{ user.display_name|raw }}`) As a result, an entity-encoded payload becomes active HTML/JS when rendered in the admin user list. Note: This report is about the `display_name` field + entity-decoding path. It is distinct from previously published issues focused on the `email` field. ### PoC (minimal reproduction) **Preconditions / configuration** - Registration enabled (`security.enableRegistration = true`). - Attacker does not need admin privileges. - Admin must view the admin user list page. **Steps** 1. As an unauthenticated user, open the registration page and create a new account. 2. Set the **display name / real name** field to the following entity-encoded payload: - `<img src=x onerror=alert(1)>` 3. Complete registration. 4. As an administrator, open the admin user list (example): - `http://127.0.0.1:8080/admin/user/list` 5. Observe JavaScript execution in the admin’s browser (e.g., `alert(1)` triggers) and the payload is rendered as an actual `<img>` element. ### Impact Stored XSS in the admin context can enable: - admin session compromise (depending on cookie flags), - CSRF token exfiltration and privileged admin actions, - UI redress/phishing within the admin panel. ### Evidence (what I observed) - Stored DB value (entities): `<img src=x onerror=alert(1)>` - Rendered HTML in admin user list: `<img src="x" onerror="alert(1)">` ### Affected versions **Confirmed by code inspection** - 4.0.14 - 4.0.15 - Both contain `html_entity_decode` for `display_name` in `UserData.php` and `{{ user.display_name|raw }}` in `users.twig`. **Confirmed by live reproduction** - 4.1.0-RC (tested on current source checkout) ### Environment (tested) - Host OS: macOS 15.6.1 (24G90) - Web container OS: Debian GNU/Linux 12 (bookworm) - PHP: 8.4.5RC1 - DB: MariaDB 11.6.2 - phpMyFAQ source commit (tested): bca1c4192c2ad61a3595b4289d9551a51e0e9848 ### Contact / Credit - Contact: jeongwoolee340@gmail.com