Security Advisory 2023-03-20
Multiple vulnerabilities in phpMyFAQ
- Issued on:
- 2023-02-20
- Software:
- phpMyFAQ <= 3.1.11
- Risk:
- Medium
- Platforms:
- all
The phpMyFAQ Team has learned of a multiple security issues that have been discovered in phpMyFAQ 3.1.11 and
earlier. phpMyFAQ contains cross-site scripting (XSS), a weak password check and a privilege escalation.
Description
phpMyFAQ does not implement sufficient checks to avoid
- XSS
- weak passwords
- privilege escalation
- Captcha bypass
Solution
The phpMyFAQ Team has released the new phpMyFAQ version 3.1.12 which fixes these vulnerabilities. All
users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 3.1.12.
References
-
XSS
-
XSS
-
Password policy
-
XSS
-
XSS
-
XSS
-
XSS
-
XSS
-
XSS
-
Privilege escalation
-
Captcha bypass
-
HTML injection
-
Privilege escalation
-
XSS
-
Privilege escalation
-
XSS
-
XSS
-
XSS
-
XSS
-
XSS
Thanks
The phpMyFAQ team would like to thank @ahmedvienna, @josefjku, @hatlesswizard, @tsarsecurity and @isdkrisna for the
responsible disclosure of this vulnerabilities.