CVE-2024-28108

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Mar 25, 2024 / Updated: 7mo ago

010
CVSS 4.7EPSS 0.04%Medium
CVE info copied to clipboard

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. _Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ._ This vulnerability is fixed in 3.2.6.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-28108

Mar 25, 2024 at 12:15 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Mar 25, 2024 at 4:46 PM
CVSS

A CVSS base score of 4.7 has been assigned.

Mar 25, 2024 at 7:21 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-28108. See article

Mar 25, 2024 at 7:27 PM / National Vulnerability Database
EPSS

EPSS Score was set to: 0.04% (Percentile: 7.5%)

Mar 28, 2024 at 4:04 PM
Static CVE Timeline Graph

Affected Systems

Phpmyfaq/phpmyfaq
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

Vendor Advisory

[GHSA-48vw-jpf8-hwqh] phpMyFAQ Stored HTML Injection at contentLink
Additionally, unauthenticated HTML injection can compromise user privacy by displaying sensitive information or misleading content. Additionally, unauthenticated HTML injection can compromise user privacy by displaying sensitive information or misleading content.

News

Multiple vulnerabilities in phpMyFAQ
phpMyFAQ cross-site scripting CVE-2024-28108 - https://www. redpacketsecurity.com/phpmyfaq -cross-site-scripting-cve-2024-28108/ # CVE # Vulnerability # OSINT # ThreatIntel # Cyber
CVE-2024-28108
Medium Severity Description phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. _Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ._ This vulnerability is fixed in 3.2.6. Read more at https://www.tenable.com/cve/CVE-2024-28108
CVE-2024-28108 | thorsten phpmyfaq 3.2.5 contentLink cross site scripting (GHSA-48vw-jpf8-hwqh)
A vulnerability, which was classified as problematic , has been found in thorsten phpmyfaq 3.2.5 . Affected by this issue is some unknown functionality. The manipulation of the argument contentLink leads to basic cross site scripting. This vulnerability is handled as CVE-2024-28108 . The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-28108
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. _Also, requires that adding CVE-2024-28108 originally published on CyberSecurityBoard
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI