The phpMyFAQ Team has learned of a security issue that has been discovered in phpMyFAQ 1.5.
All vulnerabilities are exploitable by an anonymous user. All vulnerabilities are exploitable, no matter if magic_quotes_gpc is turned on or off. The "thema", "username" and "usermail" parameters are prone to cross-site scripting attacks in the "add content" page.
The phpMyFAQ Team has released a new phpMyFAQ version 1.5.4 which fixes these vulnerabilities. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
There's no workaround except installing phpMyFAQ 1.5.4.
The phpMyFAQ Team would like to thank Tobias Klein for discovering these vulnerabilities. Tobias Klein has also released an independent advisory, describing the vulnerability in more detail.