← back
CVE-2024-28106

phpMyFAQ Stored XSS at FAQ News Content

CVSS 4.3 MEDIUMEPSS 0.5%CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.3EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
25 Mar 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. This vulnerability is fixed in 3.2.6.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Affected products
thorsten · phpMyFAQ

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/thorsten/phpMyFAQ/commit/c94b3deadd87789389e1fad162bc3dd595c0e15ahttps://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-6p68-36m6-392r