Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq
Description
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in phpMyFAQ < 3.2.2 allows attackers to inject arbitrary JavaScript via improperly escaped attachment filenames.
Vulnerability
CVE-2023-5867 is a stored cross-site scripting (XSS) vulnerability in the phpMyFAQ web application, affecting versions prior to 3.2.2. The root cause lies in the Attachment helper class, where attachment filenames are rendered in HTML without proper encoding. Specifically, in both src/phpMyFAQ/Attachment/Attachment.php and src/phpMyFAQ/Attachment/AttachmentAbstract.php, the getFilename() method output is passed directly into HTML attributes and list items without escaping [1][3]. The fix introduced Strings::htmlentities() to convert special characters to HTML entities, preventing script injection [3].
Exploitation
An attacker with sufficient privileges (e.g., the ability to upload attachments or create FAQs) can craft a filename containing malicious JavaScript, such as ">.pdf. When the FAQ page is rendered, the unsanitized filename is embedded in the page’s HTML, causing the script to execute in the context of any user visiting that page. No authentication bypass is required beyond the default permissions for content contributors [2][4].
Impact
Successful exploitation allows the attacker to perform arbitrary actions on behalf of a victim user, including stealing session cookies, exfiltrating sensitive data, or performing administrative operations if the victim has elevated privileges. As a stored XSS, the payload persists in the application’s database and triggers on every subsequent page load [2].
Mitigation
The vulnerability was patched in phpMyFAQ version 3.2.2, released on or after October 31, 2023. Users must upgrade to this version or later. The commit 5310cb8c37dc3a5c5aead0898690b14705c433d3 contains the full fix [3]. No workarounds have been documented; upgrading is the only recommended remediation.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
thorsten/phpmyfaqPackagist | < 3.2.2 | 3.2.2 |
Affected products
2- thorsten/thorsten/phpmyfaqv5Range: unspecified
Patches
15310cb8c37dcfix: added missing conversion to HTML entities
2 files changed · +3 −2
phpmyfaq/admin/record.edit.php+1 −1 modified@@ -484,7 +484,7 @@ class="form-control"> printf( '<li><a href="../%s">%s</a> ', $att->buildUrl(), - $att->getFilename() + Strings::htmlentities($att->getFilename()) ); if ($user->perm->hasPermission($currentUserId, 'delattachment')) { printf(
phpmyfaq/src/phpMyFAQ/Helper/AttachmentHelper.php+2 −1 modified@@ -18,6 +18,7 @@ namespace phpMyFAQ\Helper; use phpMyFAQ\Attachment\AttachmentAbstract; +use phpMyFAQ\Strings; use phpMyFAQ\Translation; /** @@ -45,7 +46,7 @@ public function renderAttachmentList(array $attachmentList): string '<li><i class="fa fa-%s" aria-hidden="true"></i> <a href="%s">%s</a></li>', $this->mapMimeTypeToIcon($attachment->getMimeType()), $attachment->buildUrl(), - $attachment->getFilename() + Strings::htmlentities($attachment->getFilename()) ); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.