CVE-2024-28106 — MEDIUM (4.3)

Vulnerability Description

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. This vulnerability is fixed in 3.2.6.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Phpmyfaq	Phpmyfaq	3.2.5

Related Weaknesses (CWE)

CWE-79

References

https://github.com/thorsten/phpMyFAQ/commit/c94b3deadd87789389e1fad162bc3dd595c0Patch
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-6p68-36m6-392rExploitVendor Advisory
https://github.com/thorsten/phpMyFAQ/commit/c94b3deadd87789389e1fad162bc3dd595c0Patch
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-6p68-36m6-392rExploitVendor Advisory

FAQ

What is CVE-2024-28106?

CVE-2024-28106 is a vulnerability with a CVSS score of 4.3 (MEDIUM). phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript...

How severe is CVE-2024-28106?

CVE-2024-28106 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-28106?

Check the references section above for vendor advisories and patch information. Affected products include: Phpmyfaq Phpmyfaq.