ghsa-jv8r-hv7q-p6vc
Vulnerability from github
Summary
A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities (e.g., <img ...>). When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context.
Details
Root cause is the following chain:
- User-controlled input stored: attacker-provided display_name (real name) is stored in DB (often as HTML entities, e.g., <img ...>).
- Decode on read: phpmyfaq/src/phpMyFAQ/User/UserData.php decodes display_name using html_entity_decode(...) (“for backward compatibility”).
- Unsafe sink: admin user list renders the decoded value unescaped using Twig |raw:
- phpmyfaq/assets/templates/admin/user/users.twig (users table uses {{ user.display_name|raw }})
As a result, an entity-encoded payload becomes active HTML/JS when rendered in the admin user list.
Note: This report is about the display_name field + entity-decoding path. It is distinct from previously published issues focused on the email field.
PoC (minimal reproduction)
Preconditions / configuration
- Registration enabled (security.enableRegistration = true).
- Attacker does not need admin privileges.
- Admin must view the admin user list page.
Steps
1. As an unauthenticated user, open the registration page and create a new account.
2. Set the display name / real name field to the following entity-encoded payload:
- <img src=x onerror=alert(1)>
3. Complete registration.
4. As an administrator, open the admin user list (example):
- http://127.0.0.1:8080/admin/user/list
5. Observe JavaScript execution in the admin’s browser (e.g., alert(1) triggers) and the payload is rendered as an actual <img> element.
Impact
Stored XSS in the admin context can enable: - admin session compromise (depending on cookie flags), - CSRF token exfiltration and privileged admin actions, - UI redress/phishing within the admin panel.
Evidence (what I observed)
- Stored DB value (entities):
<img src=x onerror=alert(1)> - Rendered HTML in admin user list:
<img src="x" onerror="alert(1)">
Affected versions
Confirmed by code inspection
- 4.0.14
- 4.0.15
- Both contain html_entity_decode for display_name in UserData.php and {{ user.display_name|raw }} in users.twig.
Confirmed by live reproduction - 4.1.0-RC (tested on current source checkout)
Environment (tested)
- Host OS: macOS 15.6.1 (24G90)
- Web container OS: Debian GNU/Linux 12 (bookworm)
- PHP: 8.4.5RC1
- DB: MariaDB 11.6.2
- phpMyFAQ source commit (tested): bca1c4192c2ad61a3595b4289d9551a51e0e9848
Contact / Credit
- jeongwoolee340@gmail.com
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.14"
},
{
"fixed": "4.0.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68951"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-29T22:12:35Z",
"nvd_published_at": "2025-12-29T16:15:43Z",
"severity": "MODERATE"
},
"details": "### Summary\nA stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an administrator\u2019s browser by registering a user whose **display name** contains HTML entities (e.g., `\u0026lt;img ...\u0026gt;`). When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context.\n\n### Details\nRoot cause is the following chain:\n- **User-controlled input stored**: attacker-provided `display_name` (real name) is stored in DB (often as HTML entities, e.g., `\u0026lt;img ...\u0026gt;`).\n- **Decode on read**: `phpmyfaq/src/phpMyFAQ/User/UserData.php` decodes `display_name` using `html_entity_decode(...)` (\u201cfor backward compatibility\u201d).\n- **Unsafe sink**: admin user list renders the decoded value unescaped using Twig `|raw`:\n - `phpmyfaq/assets/templates/admin/user/users.twig` (users table uses `{{ user.display_name|raw }}`)\n\nAs a result, an entity-encoded payload becomes active HTML/JS when rendered in the admin user list.\n\nNote: This report is about the `display_name` field + entity-decoding path. It is distinct from previously published issues focused on the `email` field.\n\n### PoC (minimal reproduction)\n**Preconditions / configuration**\n- Registration enabled (`security.enableRegistration = true`).\n- Attacker does not need admin privileges.\n- Admin must view the admin user list page.\n\n**Steps**\n1. As an unauthenticated user, open the registration page and create a new account.\n2. Set the **display name / real name** field to the following entity-encoded payload:\n - `\u0026lt;img src=x onerror=alert(1)\u0026gt;`\n3. Complete registration.\n4. As an administrator, open the admin user list (example):\n - `http://127.0.0.1:8080/admin/user/list`\n5. Observe JavaScript execution in the admin\u2019s browser (e.g., `alert(1)` triggers) and the payload is rendered as an actual `\u003cimg\u003e` element.\n\n### Impact\nStored XSS in the admin context can enable:\n- admin session compromise (depending on cookie flags),\n- CSRF token exfiltration and privileged admin actions,\n- UI redress/phishing within the admin panel.\n\n### Evidence (what I observed)\n- Stored DB value (entities):\n `\u0026lt;img src=x onerror=alert(1)\u0026gt;`\n- Rendered HTML in admin user list:\n `\u003cimg src=\"x\" onerror=\"alert(1)\"\u003e`\n\n### Affected versions\n**Confirmed by code inspection**\n- 4.0.14\n- 4.0.15\n - Both contain `html_entity_decode` for `display_name` in `UserData.php` and `{{ user.display_name|raw }}` in `users.twig`.\n\n**Confirmed by live reproduction**\n- 4.1.0-RC (tested on current source checkout)\n\n### Environment (tested)\n- Host OS: macOS 15.6.1 (24G90)\n- Web container OS: Debian GNU/Linux 12 (bookworm)\n- PHP: 8.4.5RC1\n- DB: MariaDB 11.6.2\n- phpMyFAQ source commit (tested): bca1c4192c2ad61a3595b4289d9551a51e0e9848\n\n### Contact / Credit\n- jeongwoolee340@gmail.com",
"id": "GHSA-jv8r-hv7q-p6vc",
"modified": "2025-12-29T22:12:35Z",
"published": "2025-12-29T22:12:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68951"
},
{
"type": "WEB",
"url": "https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370"
},
{
"type": "WEB",
"url": "https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpMyFAQ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "phpMyFAQ has Stored XSS in user list via admin-managed display_name"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.