Main Vulnerability Database Vulnerabilities #VU130107

Cross-site scripting in phpMyFAQ - CVE-2024-29179

Published: March 25, 2024 / Updated: May 5, 2026

Vulnerability identifier: #VU130107

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-29179

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
phpMyFAQ

Software vendor:
Thorsten Rinne

Description

The vulnerability allows a remote user to execute arbitrary client-side JavaScript in another user's phpMyFAQ session.

The vulnerability exists due to cross-site scripting in the file attachments feature when rendering uploaded attachments without an extension. A remote privileged user can upload a crafted attachment containing JavaScript code to execute arbitrary client-side JavaScript in another user's phpMyFAQ session.

User interaction is required to access the uploaded attachment, and the direct file path is derivable from the file's MD5 hash.

Remediation

Install security update from vendor's website.

External links

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-hm8r-95g3-5hj9

Cross-site scripting in phpMyFAQ - CVE-2024-29179

Description

Remediation

External links

Please verify you're human