Miggo Logo
Miggo Vulnerability Database
CVE-2023-1878

CVE-2023-1878: thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via adminlog

8.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-1878
GHSA ID
GHSA-gcmq-7652-x98j
EPSS Score
0.21348%
CWE
CWE-79
Published
4/5/2023
Updated
4/6/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
thorsten/phpmyfaqcomposer< 3.1.123.1.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff explicitly shows that the vulnerability stemmed from unescaped output of $loggingValue['text'] in stat.adminlog.php. The patch added Strings::htmlentities() to sanitize this user-controlled input. Since the vulnerable code was inline in the admin log display logic (not within a named function), the entire code block responsible for rendering the log text is identified as the vulnerable component. The high confidence comes from the direct correlation between the missing sanitization in the diff and the XSS vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

t*orst*n/p*pmy**q prior to *.*.** is vuln*r**l* to stor** *ross-sit* s*riptin* (XSS) ****us* it **ils to s*nitiz* us*r input in t** **minlo*. T*is **s ***n *ix** in *.*.**.

Reasoning

T** *ommit *i** *xpli*itly s*ows t**t t** vuln*r**ility st*mm** *rom un*s**p** output o* $lo**in*V*lu*['t*xt'] in `st*t.**minlo*.p*p`. T** p*t** ***** `Strin*s::*tml*ntiti*s()` to s*nitiz* t*is us*r-*ontroll** input. Sin** t** vuln*r**l* *o** w*s inl
CVE-2023-1878: phpmyfaq Adminlog Stored XSS | Miggo