phpMyFAQ phpMyFAQ The phpMyFAQ Team has learned of multiple security issues that'd been discovered in phpMyFAQ 3.2.5 and earlier. phpMyFAQ contains cross-site scripting (XSS), SQL injection and bypass vulnerabilities.
phpMyFAQ doesn't implement sufficient checks to avoid a Path Traversal in attachments that allows attackers with admin rights to upload malicious files to other locations of the web root. An attacker with admin privileges can upload an attachment containing JS code without an extension, and the application will render it as HTML, which allows for XSS attacks. It is possible for unauthenticated users to inject HTML code to the page which might affect other users. Also, it requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ. A PostgreSQL SQL injection vulnerability has been discovered in the admin section when modifying records due to improper escaping of the email address. By manipulating the news parameter in a POST request, an attacker with admin rights can inject malicious JavaScript code. The category image upload function in phpmyfaq is vulnerable to manipulation of the Content-type and lang parameters, allowing attackers with admin rights to upload malicious files with a .php extension, potentially leading to remote code execution (RCE) on the system. The email field in phpMyFAQ's user control panel page is vulnerable to stored XSS attacks due to the inadequacy of PHP's FILTER_VALIDATE_EMAIL function, which only validates the email format, not its content. A PostgreSQL SQL injection vulnerability has been discovered in the "Add News" functionality due to improper escaping of the email address.
The phpMyFAQ Team has released the new phpMyFAQ version 3.2.6, which fixes these vulnerabilities. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
There's no workaround except installing phpMyFAQ 3.2.6.
The phpMyFAQ team would like to thank @kevinnivekkevin for the responsible disclosures of these vulnerabilities.