5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-0787

GHSA ID

GHSA-gxxj-x426-xj2w

EPSS Score

0.29201%

CWE

CWE-79

Published

2/12/2023

Updated

2/23/2023

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-0787

CVE-2023-0787: Cross-site Scripting in thorsten/phpmyfaq

Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.11.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-0787

CVE-2023-0787:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-0787

GHSA ID

GHSA-gxxj-x426-xj2w

EPSS Score

0.29201%

CWE

CWE-79

Published

2/12/2023

Updated

2/23/2023

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
thorsten/phpmyfaq	composer	< 3.1.11	3.1.11

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows two critical changes in renderOpenQuestions():

$row->username was converted to Strings::htmlentities($row->username)
strip_tags($row->question) was replaced with Strings::htmlentities($row->question)

This indicates the original code:

Outputted raw username (user-controlled) into HTML attributes
Used insufficient strip_tags() instead of proper HTML entity encoding for questions

Both patterns allow injection of arbitrary HTML/JS when user-supplied data contains payloads. The vulnerability manifests in the HTML generation logic of the open questions display feature.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-0787: Cross-site Scripting in thorsten/phpmyfaq

CVE-2023-0787:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.4

5.4

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-0787: Cross-site Scripting in thorsten/phpmyfaq

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI