Security Advisory 2025-01-02

Stored HTML Injection vulnerability in phpMyFAQ

Issued on:
2025-01-02
Software:
phpMyFAQ <= 4.0.0-RC.5
Risk:
Medium
Platforms:
all

The phpMyFAQ Team has learned of a security issues that'd been discovered in phpMyFAQ 4.0.1 and earlier. A stored HTML injection vulnerability has been discovered in the phpMyFAQ application.

Description

Due to insufficient validation on the content of new FAQ posts, it is possible for authenticated users to inject malicious HTML or JavaScript code that can impact other users viewing the FAQ. This vulnerability arises when user-provided inputs in FAQ entries are not sanitized or escaped before being rendered on the page.

Solution

The phpMyFAQ Team has released the new phpMyFAQ version 4.0.2, which fixes the vulnerability. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 4.0.2.

Thanks

The phpMyFAQ team would like to thank geo-chen for the responsible disclosures of this vulnerability.

Back to the security advisories overview