VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 5, 2023· Updated Feb 10, 2025

Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq

CVE-2023-1885

Description

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in phpMyFAQ < 3.1.12 allows attackers to inject arbitrary web scripts via category names in the admin panel.

Vulnerability

Overview

CVE-2023-1885 is a stored cross-site scripting (XSS) vulnerability in the phpMyFAQ open-source FAQ application. Versions prior to 3.1.12 fail to properly sanitize category names when displaying them in the administration interface. The root cause is the missing conversion of HTML entities in category name output, as shown in the fix commit that adds a call to Strings::htmlentities() [3].

Exploitation

Vector

An authenticated user with the ability to create or edit categories (typically an administrator) can inject arbitrary JavaScript or HTML into the category name field. This stored payload is then rendered unsanitized on category management pages, executing in the browsers of other admin users who view or manage those categories [1][4]. No additional authentication is required on the victim's part beyond being an authenticated admin.

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the context of an administrator's session. This could lead to session hijacking, defacement of admin pages, theft of sensitive data, or further privilege escalation within the application. The stored nature of the XSS means the payload persists until cleaned, potentially affecting multiple users over time.

Mitigation

The vulnerability is fixed in phpMyFAQ version 3.1.12 [2]. Users are strongly advised to upgrade immediately. The fix explicitly applies Strings::htmlentities() to category names before output, preventing HTML injection [3]. No workarounds are documented.

References
  1. GitHub - thorsten/phpMyFAQ: phpMyFAQ - Open Source FAQ web application for PHP 8.3+ and MySQL, PostgreSQL and other databases
  2. NVD - CVE-2023-1885
  3. fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@fecc803
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
thorsten/phpmyfaqPackagist
< 3.1.123.1.12

Affected products

3

Patches

1
fecc803ab9c3

fix: added missing conversion to HTML entities

https://github.com/thorsten/phpmyfaqThorsten RinneFeb 14, 2023via ghsa
commit
1 file changed · +4 2
  • phpmyfaq/admin/category.main.php+4 2 modified
    @@ -21,6 +21,7 @@
 use phpMyFAQ\Category\CategoryRelation;
 use phpMyFAQ\Database;
 use phpMyFAQ\Filter;
+use phpMyFAQ\Strings;
 
 if (!defined('IS_VALID_PHPMYFAQ')) {
     http_response_code(400);
@@ -319,9 +320,10 @@
             foreach ($category->getCategoryTree() as $id => $cat) {
                 // CategoryHelper translated in this language?
                 if ($cat['lang'] == $lang) {
-                    $categoryName = $cat['name'];
+                    $categoryName = Strings::htmlentities($cat['name']);
                 } else {
-                    $categoryName = $cat['name'] . ' (' . $languageCodes[strtoupper($cat['lang'])] . ')';
+                    $categoryName = Strings::htmlentities($cat['name']) .
+                        ' (' . $languageCodes[strtoupper($cat['lang'])] . ')';
                 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.