Security Advisory 2025-01-02
Stored HTML Injection vulnerability in phpMyFAQ
- Issued on:
- 2025-01-02
- Software:
- phpMyFAQ <= 4.0.0-RC.5
- Risk:
- Medium
- Platforms:
- all
The phpMyFAQ Team has learned of a security issues that'd been discovered in phpMyFAQ 4.0.1 and
earlier. A stored HTML injection vulnerability has been discovered in the phpMyFAQ application.
Description
Due to insufficient validation on the content of new FAQ posts, it is possible for authenticated users to inject
malicious HTML or JavaScript code that can impact other users viewing the FAQ. This vulnerability arises when
user-provided inputs in FAQ entries are not sanitized or escaped before being rendered on the page.
Solution
The phpMyFAQ Team has released the new phpMyFAQ version 4.0.2, which fixes the vulnerability. All
users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 4.0.2.
Thanks
The phpMyFAQ team would like to thank geo-chen for the responsible disclosures of this vulnerability.