Cross-site scripting in phpMyFAQ - CVE-2024-24574
Published: February 5, 2024 / Updated: May 5, 2026
Vulnerability identifier: #VU130108
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-24574
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Thorsten Rinne
Affected software:
phpMyFAQ
phpMyFAQ
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the administrator interface.
The vulnerability exists due to cross-site scripting in phpmyfaq\phpmyfaq\admin\attachments.php when rendering attachment filenames from user-controlled data. A remote user can upload an attachment with a specially crafted filename to execute arbitrary JavaScript in the administrator interface.
The payload is stored in the faqattachment table and is triggered when the attachments listing page is viewed.
How to mitigate CVE-2024-24574
Install security update from vendor's website.