Security Advisory 2023-09-21

XSS and cookie vulnerabilities in phpMyFAQ

Issued on:

2023-09-21

Software:

phpMyFAQ <= 3.1.17

Risk:

Medium

Platforms:

all

The phpMyFAQ Team has learned of multiple security issues that'd been discovered in phpMyFAQ 3.2.0 and

earlier. phpMyFAQ contains cross-site scripting (XSS) vulnerabilities. The secure flag handling of cookies is buggy.

Description

phpMyFAQ doesn't implement sufficient checks to avoid XSS when adding malicious content into FAQs, configuration, user

administration, and multi-site configuration.

Solution

The phpMyFAQ Team has released the new phpMyFAQ versions 3.2.1 and 3.1.18, which fixes these vulnerabilities. All

users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 3.2.1 or 3.1.18.

References

• XSS in 3.1.17 and 3.2.0

• XSS in 3.1.17 and 3.2.0

• XSS in 3.1.17 and 3.2.0

• XSS in 3.1.17 and 3.2.0

• XSS in 3.1.17 and 3.2.0

• Cookie issue in 3.2.0

• XSS in 3.2.0

Thanks

The phpMyFAQ team would like to thank @hainguyen0207 and @nyeooo for the responsible disclosures of these

vulnerabilities.