Описание
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. Version 4.0.16 contains a patch for the issue.
Уязвимые конфигурации
Конфигурация 1Версия от 4.0.14 (включая) до 4.0.16 (исключая)
Одно из
cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
cpe:2.3:a:phpmyfaq:phpmyfaq:4.1.0:rc:*:*:*:*:*:*
EPSS
Процентиль: 12%
0.00041
Низкий
5.4 Medium
CVSS3
6.1 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 5.4
github
около 1 месяца назад
phpMyFAQ has Stored XSS in user list via admin-managed display_name
EPSS
Процентиль: 12%
0.00041
Низкий
5.4 Medium
CVSS3
6.1 Medium
CVSS3
Дефекты
CWE-79