SB2024032591 - Multiple vulnerabilities in phpMyFAQ

Description

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal (CVE-ID: CVE-2024-29196)

The vulnerability allows a remote user to upload files to unintended locations within the web root.

The vulnerability exists due to path traversal in the attachment location setting when processing attachment upload paths. A remote privileged user can set a crafted attachment location and upload a file to upload files to unintended locations within the web root.

The issue affects the attachments feature and does not require user interaction.

2) Cross-site scripting (CVE-ID: CVE-2024-29179)

The vulnerability allows a remote user to execute arbitrary client-side JavaScript in another user's phpMyFAQ session.

The vulnerability exists due to cross-site scripting in the file attachments feature when rendering uploaded attachments without an extension. A remote privileged user can upload a crafted attachment containing JavaScript code to execute arbitrary client-side JavaScript in another user's phpMyFAQ session.

User interaction is required to access the uploaded attachment, and the direct file path is derivable from the file's MD5 hash.

Remediation

Install update from vendor's website.

References

• https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-mmh6-5cpf-2c72
• https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-hm8r-95g3-5hj9