Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq
Description
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in phpMyFAQ prior to 3.1.17 allows attackers to inject arbitrary web scripts via FAQ content.
Vulnerability
Overview CVE-2023-6890 is a stored cross-site scripting (XSS) vulnerability in the phpMyFAQ application, an open-source FAQ system. The root cause is insufficient sanitization of user-supplied content in FAQ entries and search results, as demonstrated by a fix that adds Strings::htmlentities() calls to escape output [3]. Prior to version 3.1.17, the application did not properly convert HTML entities in several output fields, including FAQ content and category names [1][3].
Exploitation
An attacker with author-level access can exploit this vulnerability by crafting malicious FAQ content containing JavaScript payloads. When other users, including administrators, view the affected FAQ or search results, the injected script executes in their browser context. No special network position is required; the attack is conducted through the normal web interface [2][4].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, data theft, phishing attacks, or defacement. Because the XSS is stored, the malicious payload persists and affects every subsequent viewer of the compromised content [4].
Mitigation
The vulnerability is patched in phpMyFAQ version 3.1.17, which introduces proper HTML entity encoding for FAQ content and related fields [3]. Users should upgrade to this version or apply the relevant commit (97d90eb) to mitigate the risk. There are no known workarounds; updating is the recommended action [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
thorsten/phpmyfaqPackagist | < 3.1.17 | 3.1.17 |
Affected products
2- thorsten/thorsten/phpmyfaqv5Range: unspecified
Patches
197d90ebbe11efix: added missing conversion to HTML entities
2 files changed · +10 −5
phpmyfaq/src/phpMyFAQ/Helper/FaqHelper.php+7 −2 modified@@ -187,11 +187,16 @@ public function createOverview(Category $category, Faq $faq, string $language = $lastCategory = 0; foreach ($faq->faqRecords as $data) { if ($data['category_id'] !== $lastCategory) { - $output .= sprintf('<h3>%s</h3>', $category->getPath($data['category_id'], ' » ')); + $output .= sprintf( + '<h3>%s</h3>', + $this->cleanUpContent( + $this->cleanUpContent($category->getPath($data['category_id'], ' » ')) + ) + ); } $output .= sprintf('<h4>%s</h4>', Strings::htmlentities($data['title'])); - $output .= sprintf('<article>%s</article>', $data['content']); + $output .= sprintf('<article>%s</article>', $this->cleanUpContent($data['content'])); $output .= sprintf( '<p>%s: %s<br>%s', $PMF_LANG['msgAuthor'],
phpmyfaq/src/phpMyFAQ/Helper/SearchHelper.php+3 −3 modified@@ -258,14 +258,14 @@ public function renderSearchResult(SearchResultSet $resultSet, int $currentPage) ); $oLink = new Link($currentUrl, $this->config); - $oLink->text = $question; - $oLink->itemTitle = $oLink->tooltip = $result->question; + $oLink->text = Strings::htmlentities($question); + $oLink->itemTitle = $oLink->tooltip = Strings::htmlentities($result->question); $html .= '<li>'; $html .= $this->renderScore($result->score * 33); $html .= sprintf( '<strong>%s</strong>: %s<br>', - $categoryInfo[0]['name'], + Strings::htmlentities($categoryInfo[0]['name']), $oLink->toHtmlAnchor() ); $html .= sprintf(
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.