CVE-2024-24574

EUVD-2024-0558
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). This vulnerability has been patched in version 3.2.5.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
GitHub_MCNA
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
Affected Products (NVD)
VendorProductVersion
phpmyfaqphpmyfaq
𝑥
< 3.2.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/thorsten/phpMyFAQ/commit/5479b4a4603cce71aa7eb4437f1c201153a1f1f5
https://github.com/thorsten/phpMyFAQ/pull/2827
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx
https://github.com/thorsten/phpMyFAQ/commit/5479b4a4603cce71aa7eb4437f1c201153a1f1f5
https://github.com/thorsten/phpMyFAQ/pull/2827
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx