CVE-2024-28108 — MEDIUM (4.7)

Vulnerability Description

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. _Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ._ This vulnerability is fixed in 3.2.6.

CVSS Score

4.7

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Phpmyfaq	Phpmyfaq	3.2.5

Related Weaknesses (CWE)

CWE-79 CWE-80

References

https://github.com/thorsten/phpMyFAQ/commit/4fed1d9602f0635260f789fe85995789d94dPatch
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-48vw-jpf8-hwqhExploitVendor Advisory
https://github.com/thorsten/phpMyFAQ/commit/4fed1d9602f0635260f789fe85995789d94dPatch
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-48vw-jpf8-hwqhExploitVendor Advisory

FAQ

What is CVE-2024-28108?

CVE-2024-28108 is a vulnerability with a CVSS score of 4.7 (MEDIUM). phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated...

How severe is CVE-2024-28108?

CVE-2024-28108 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-28108?

Check the references section above for vendor advisories and patch information. Affected products include: Phpmyfaq Phpmyfaq.