CVE-2024-28108 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-28108

CVE-2024-28108

March 25, 2024

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. _Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ._ This vulnerability is fixed in 3.2.6.

Additional Notes

The description of this vulnerability differs from MITRE.

Related Resources (4)

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-48vw-jpf8-hwqh

https://github.com/thorsten/phpMyFAQ

https://github.com/thorsten/phpMyFAQ/commit/4fed1d9602f0635260f789fe85995789d94d6634

https://nvd.nist.gov/vuln/detail/CVE-2024-28108

Do you need more information?

CVSS v4

Base Score:

2.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

LOW

Subsequent System Integrity

LOW

Subsequent System Availability

NONE

CVSS v3

Base Score:

4.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-80

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

EPSS

Base Score:

0.48

Products

Solutions

Resources

Company

Compare

Developer Tools