Skip to content

Stored XSS in admin “List of users” via display_name HTML entity decoding (html_entity_decode) + Twig |raw

Moderate
thorsten published GHSA-jv8r-hv7q-p6vc Dec 29, 2025

Package

phpMyFAQ (PHP web application)

Affected versions

Affected versions: >= 4.0.14 (include 4.1.0)

Patched versions

4.0.16

Description

Summary

A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities (e.g., <img ...>). When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context.

Details

Root cause is the following chain:

  • User-controlled input stored: attacker-provided display_name (real name) is stored in DB (often as HTML entities, e.g., <img ...>).
  • Decode on read: phpmyfaq/src/phpMyFAQ/User/UserData.php decodes display_name using html_entity_decode(...) (“for backward compatibility”).
  • Unsafe sink: admin user list renders the decoded value unescaped using Twig |raw:
    • phpmyfaq/assets/templates/admin/user/users.twig (users table uses {{ user.display_name|raw }})

As a result, an entity-encoded payload becomes active HTML/JS when rendered in the admin user list.

Note: This report is about the display_name field + entity-decoding path. It is distinct from previously published issues focused on the email field.

PoC (minimal reproduction)

Preconditions / configuration

  • Registration enabled (security.enableRegistration = true).
  • Attacker does not need admin privileges.
  • Admin must view the admin user list page.

Steps

  1. As an unauthenticated user, open the registration page and create a new account.
  2. Set the display name / real name field to the following entity-encoded payload:
    • <img src=x onerror=alert(1)>
  3. Complete registration.
  4. As an administrator, open the admin user list (example):
    • http://127.0.0.1:8080/admin/user/list
  5. Observe JavaScript execution in the admin’s browser (e.g., alert(1) triggers) and the payload is rendered as an actual <img> element.

Impact

Stored XSS in the admin context can enable:

  • admin session compromise (depending on cookie flags),
  • CSRF token exfiltration and privileged admin actions,
  • UI redress/phishing within the admin panel.

Evidence (what I observed)

  • Stored DB value (entities):
    &lt;img src=x onerror=alert(1)&gt;
  • Rendered HTML in admin user list:
    <img src="x" onerror="alert(1)">

Affected versions

Confirmed by code inspection

  • 4.0.14
  • 4.0.15
    • Both contain html_entity_decode for display_name in UserData.php and {{ user.display_name|raw }} in users.twig.

Confirmed by live reproduction

  • 4.1.0-RC (tested on current source checkout)

Environment (tested)

  • Host OS: macOS 15.6.1 (24G90)
  • Web container OS: Debian GNU/Linux 12 (bookworm)
  • PHP: 8.4.5RC1
  • DB: MariaDB 11.6.2
  • phpMyFAQ source commit (tested): bca1c41

Contact / Credit

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVE ID

CVE-2025-68951

Weaknesses

No CWEs

Credits