0Xmanhnv

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.1 Description pMyFAQ, an open source FAQ web application, contains a flaw in its SVG sanitizer (`SvgSanitizer.php`). The regex-based sanitization can be bypassed by using HTML entity encoding within `javascript:` URLs inside SVG `<a href>` attributes. A user with `edit faq` permission can upload a malicious SVG file that executes arbitrary JavaScript when viewed. This allows for privilege escalation from an editor to a full admin takeover. The vulnerable file, `phpmyfaq/src/phpMyFAQ/Helper/SvgSanitizer.php`, uses a regex pattern that fails to detect HTML entity encoded `javascript:` URLs. The vulnerability is exploitable through the image upload endpoint `/admin/api/content/images` which requires only `edit faq` permission. The uploaded SVG files are served with `Content-Type: image/svg+xml` without a `Content-Disposition: attachment` header, enabling inline rendering and JavaScript execution. Recommendations Update phpMyFAQ to version 4.1.1 or later.