CVE-2024-24574

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). This vulnerability has been patched in version 3.2.5.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/thorsten/phpMyFAQ/commit/5479b4a4603cce71aa7eb4437f1c201153a1f1f5	Patch
https://github.com/thorsten/phpMyFAQ/pull/2827	Patch
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*

History

12 Feb 2024, 21:41

Type	Values Removed	Values Added
References	~~() https://github.com/thorsten/phpMyFAQ/commit/5479b4a4603cce71aa7eb4437f1c201153a1f1f5 -~~	() https://github.com/thorsten/phpMyFAQ/commit/5479b4a4603cce71aa7eb4437f1c201153a1f1f5 - Patch
References	~~() https://github.com/thorsten/phpMyFAQ/pull/2827 -~~	() https://github.com/thorsten/phpMyFAQ/pull/2827 - Patch
References	~~() https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx -~~	() https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx - Exploit, Vendor Advisory
Summary		(es) phpMyFAQ es una aplicación web de preguntas frecuentes de código abierto para PHP 8.1+ y MySQL, PostgreSQL y otras bases de datos. El eco inseguro del nombre de archivo en phpMyFAQ\phpmyfaq\admin\attachments.php conduce a la ejecución permitida de código JavaScript en el lado del cliente (XSS). Esta vulnerabilidad ha sido parcheada en la versión 3.2.5.
First Time		Phpmyfaq Phpmyfaq phpmyfaq
CPE		cpe:2.3:a:phpmyfaq:phpmyfaq::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 6.1

05 Feb 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-05 21:15

Updated : 2024-02-12 21:41

NVD link : CVE-2024-24574

Mitre link : CVE-2024-24574

CVE.ORG link : CVE-2024-24574

JSON object : View

Products Affected

phpmyfaq

phpmyfaq

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

6.1 /10