GHSA-jv8r-hv7q-p6vc

Summary

A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities (e.g., <img ...>). When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context.

Details

Root cause is the following chain:

• User-controlled input stored: attacker-provided display_name (real name) is stored in DB (often as HTML entities, e.g., <img ...>).
• Decode on read: phpmyfaq/src/phpMyFAQ/User/UserData.php decodes display_name using html_entity_decode(...) (“for backward compatibility”).
• Unsafe sink: admin user list renders the decoded value unescaped using Twig |raw:
  • phpmyfaq/assets/templates/admin/user/users.twig (users table uses {{ user.display_name|raw }})

As a result, an entity-encoded payload becomes active HTML/JS when rendered in the admin user list.

Note: This report is about the display_name field + entity-decoding path. It is distinct from previously published issues focused on the email field.

PoC (minimal reproduction)

Preconditions / configuration

• Registration enabled (security.enableRegistration = true).
• Attacker does not need admin privileges.
• Admin must view the admin user list page.

Steps

1. As an unauthenticated user, open the registration page and create a new account.
2. Set the display name / real name field to the following entity-encoded payload:
   • <img src=x onerror=alert(1)>
3. Complete registration.
4. As an administrator, open the admin user list (example):
   • http://127.0.0.1:8080/admin/user/list
5. Observe JavaScript execution in the admin’s browser (e.g., alert(1) triggers) and the payload is rendered as an actual <img> element.

Impact

Stored XSS in the admin context can enable:

• admin session compromise...