Cross-site scripting in phpMyFAQ - CVE-2024-24574
Published: February 5, 2024 / Updated: May 5, 2026
Vulnerability identifier: #VU130108
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-24574
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
phpMyFAQ
phpMyFAQ
Software vendor:
Thorsten Rinne
Thorsten Rinne
Description
The vulnerability allows a remote user to execute arbitrary JavaScript in the administrator interface.
The vulnerability exists due to cross-site scripting in phpmyfaq\phpmyfaq\admin\attachments.php when rendering attachment filenames from user-controlled data. A remote user can upload an attachment with a specially crafted filename to execute arbitrary JavaScript in the administrator interface.
The payload is stored in the faqattachment table and is triggered when the attachments listing page is viewed.
Remediation
Install security update from vendor's website.