Main Vulnerability Database Vulnerabilities #VU130103

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in phpMyFAQ - CVE-2024-56199

Published: January 2, 2025 / Updated: May 5, 2026

Vulnerability identifier: #VU130103

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-56199

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Thorsten Rinne

Affected software:
phpMyFAQ

Detailed vulnerability description

The vulnerability allows a remote user to inject malicious HTML or JavaScript code.

The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in index.php?action=editentry when rendering user-supplied FAQ content. A remote privileged user can submit a specially crafted FAQ entry to inject malicious HTML or JavaScript code.

User interaction is required when another user views the crafted FAQ entry.

How to mitigate CVE-2024-56199

Install security update from vendor's website.

Sources

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-ww33-jppq-qfrp

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in phpMyFAQ - CVE-2024-56199

Detailed vulnerability description

How to mitigate CVE-2024-56199

Sources

Please verify you're human