关键信息 CVE: CVE-2023-0794 Vulnerability Type: CWE-79: Cross-site Scripting (XSS) - Stored Severity: High (8.3) - Attack vector: Network - Attack complexity: Low - Privileges required: Low - User interaction: None - Scope: Unchanged - Confidentiality: High - Integrity: High - Availability: Low Affected Version: 3.1.10 Visibility: Public Status: Fixed Found by: Ahmed Hassan (@ahmedvienna) Fixed by: Thorsten Rinne (@thorsten) Impact: - Stored XSS vulnerability in the Username field of thorsten/phpmyfaq. - When a new user account is created or an existing username is changed to include malicious JavaScript, the code is stored and executed when the page is refreshed. Mitigation: - Do not allow JavaScript code to run and never trust user input. References: - Stored XSS Video Proof of Concept