Security Advisory 2024-12-13
User Interface (UI) Misrepresentation of Critical Information vulnerability in phpMyFAQ
- Issued on:
- 2024-12-06
- Software:
- phpMyFAQ <= 4.0.0-RC.5
- Risk:
- High
- Platforms:
- all
The phpMyFAQ Team has learned of a security issues that'd been discovered in phpMyFAQ 4.0.0 and
earlier. A User Interface (UI) Misrepresentation of Critical Information vulnerability has been discovered in the
phpMyFAQ application.
Description
A vulnerability exists in phpMyFAQ where a privileged attacker can trigger a file download on a victim's machine upon
a page visit by embedding it in an iframe element without user interaction or explicit consent.
Solution
The phpMyFAQ Team has released the new phpMyFAQ version 4.0.1, which fixes the vulnerability. All
users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 4.0.1.
Thanks
The phpMyFAQ team would like to thank geo-chen for the responsible disclosures of this vulnerability.