Security Advisory 2020-12-23

XSS in phpMyFAQ

Issued on:
2020-12-23
Software:
phpMyFAQ <= 3.0.6
Risk:
Medium
Platforms:
all

The phpMyFAQ Team has learned of a security issue that has been discovered in phpMyFAQ 3.0.6 and earlier. phpMyFAQ contains a cross-site scripting (XSS) vulnerability.

Description

phpMyFAQ does not implement sufficient checks to avoid XSS injection for displaying tags.

Solution

The phpMyFAQ Team has released the new phpMyFAQ versions 3.0.7 and 3.1.0-alpha.3 which fix the vulnerability. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 3.0.7 or 3.1.0-alpha.3.

Thanks

The phpMyFAQ teams would like to thank Curtis Robinson from Florida Tech for the responsible disclosure of the vulnerability and helping to fix it.

Back to the security advisories overview