Home > Vulnerability Database > CVE-2024-28108

Mend.io Vulnerability Database

CVE-2024-28108

Date: March 25, 2024

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the "contentLink" parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ. This vulnerability is fixed in 3.2.6.

Language: PHP

Severity Score

4.7

Related Resources (5)

Url: https://github.com/thorsten/phpMyFAQ/commit/4fed1d9602f0635260f789fe85995789d94d6634

Url: https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-48vw-jpf8-hwqh

Url: https://github.com/thorsten/phpMyFAQ

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28108

Url: https://www.mend.io/vulnerability-database/CVE-2024-28108

Severity Score

4.7

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-80

CVSS v3.1

Base Score:	4.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28108

Date: March 25, 2024

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?