CVE-2024-24574

Опубликовано: 05 фев. 2024

Источник: nvd

CVSS3: 6.5

CVSS3: 6.1

EPSS Низкий

Описание

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). This vulnerability has been patched in version 3.2.5.

Ссылки

https://github.com/thorsten/phpMyFAQ/commit/5479b4a4603cce71aa7eb4437f1c201153a1f1f5
Patch
https://github.com/thorsten/phpMyFAQ/pull/2827
Patch
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx
Exploit
Vendor Advisory
https://github.com/thorsten/phpMyFAQ/commit/5479b4a4603cce71aa7eb4437f1c201153a1f1f5
Patch
https://github.com/thorsten/phpMyFAQ/pull/2827
Patch
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*

Версия до 3.2.5 (исключая)

EPSS

Процентиль: 85%

0.02404

Низкий

6.5 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-7m8g-fprr-47fx

CVSS3: 6.5

github

около 2 лет назад

phpMyFAQ vulnerable to stored XSS on attachments filename

EPSS

Процентиль: 85%

0.02404

Низкий

6.5 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79