Security Advisory 2017-04-02

Stored XSS in phpMyFAQ

Issued on:
2017-04-02
Software:
phpMyFAQ <= 2.9.6
Risk:
High
Platforms:
all

The phpMyFAQ Team has learned of a security issue that have been discovered in phpMyFAQ 2.9.6 and earlier. phpMyFAQ contains a stored vulnerability.

Description

phpMyFAQ relies on PHPs filter_input() function with FILTER_SANITIZE_STRING flag is used to sanitize strings inside the functionality to save new FAQs. But this function doesn’t protect against XSS.

Solution

The phpMyFAQ Team has released the new phpMyFAQ versions 2.9.7 which fix the vulnerability. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 2.9.7.

References

Thanks

The phpMyFAQ teams would like to thank Noman Shaikh for the responsible disclosure of this vulnerability.

Back to the security advisories overview