SB2024020554 - Multiple vulnerabilities in phpMyFAQ

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2024-24574)

The vulnerability allows a remote user to execute arbitrary JavaScript in the administrator interface.

The vulnerability exists due to cross-site scripting in phpmyfaq\phpmyfaq\admin\attachments.php when rendering attachment filenames from user-controlled data. A remote user can upload an attachment with a specially crafted filename to execute arbitrary JavaScript in the administrator interface.

The payload is stored in the faqattachment table and is triggered when the attachments listing page is viewed.

2) Improper access control (CVE-ID: CVE-2024-22202)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper access control in the user removal page when handling account removal requests. A remote user can modify intercepted form fields to spoof another user's details and cause a denial of service.

User interaction is required because an administrator must act on the deceptive removal email.

Remediation

Install update from vendor's website.

References

• https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx
• https://github.com/thorsten/phpMyFAQ/pull/2827
• https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-6648-6g96-mg35