Security Advisory 2017-10-XX

XSS and CSRF in phpMyFAQ

Issued on:
2017-10-XX
Software:
phpMyFAQ <= 2.9.8
Risk:
Medium
Platforms:
all

The phpMyFAQ Team has learned of some security issues that have been discovered in phpMyFAQ 2.9.8 and earlier. phpMyFAQ contains cross-site request forgery and cross-site scripting vulnerabilities.

Description

phpMyFAQ does not implement sufficient checks to avoid attackers can trick the victim to reset his rating statistics, to reset his user visits and to reset his administrator logs by using a simple exploit code. The CSRF issue

Solution

The phpMyFAQ Team has released the new phpMyFAQ versions 2.9.9 which fix the vulnerabilities. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 2.9.9.

References

Thanks

The phpMyFAQ teams would like to thank Ishaq Mohammed and Nikhil Mittal for the responsible disclosure of these vulnerabilities.

Back to the security advisories overview