phpMyFAQ vulnerable to XSS and CSRF
- Issued on:
- phpMyFAQ <= 2.8.5
The phpMyFAQ Team has learned of security issues that have been discovered in phpMyFAQ 2.8.5 and earlier. phpMyFAQ contains cross-site request forgery and cross-site scripting vulnerabilities.
An arbitrary script may be executed on the user's Internet Explorer when using an older version of the browser. If a user views a malicious page while logged in, settings may be changed unintentionally.
The phpMyFAQ Team has released a new phpMyFAQ version 2.8.6 which fixes thie vulnerability. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version. Internet Explorer user are save with version 10 or later.
There's no workaround except installing phpMyFAQ 2.8.6.
The phpMyFAQ teams would like to thank JPCERT Coordination Center for the responsible disclosure of this vulnerability.