Security Advisory 2024-02-05

XSS, phishing and spoofing vulnerabilities in phpMyFAQ

Issued on:

2024-02-05

Software:

phpMyFAQ <= 3.2.4

Risk:

Medium

Platforms:

all

The phpMyFAQ Team has learned of multiple security issues that'd been discovered in phpMyFAQ 3.2.4 and

earlier. phpMyFAQ contains cross-site scripting (XSS), phishing and spoofing vulnerabilities.

Description

phpMyFAQ doesn't implement sufficient checks to avoid XSS when storing on attachments filenames.

The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary

emails to a large range of targets.

phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing

case for removing another user's account.

Solution

The phpMyFAQ Team has released the new phpMyFAQ version 3.2.5, which fixes these vulnerabilities. All

users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 3.2.5.

References

• phpMyFAQ store XSS on attachments filename

• Sharing FAQ functionality can easily be abused for phishing purposes

• User Removal Page Allows Spoofing Of User Details

Thanks

The phpMyFAQ team would like to thank @PinkDraconian and Nikko Enggaliano for the responsible disclosures of these

vulnerabilities.