CVE-2023-3469

MEDIUM5.2EPSS 0.18%

phpMyFAQ Cross-site Scripting

Published: 6/30/2023Modified: 2/16/2024

Description

phpMyFAQ prior to 3.2.0-beta.2 contains a cross-site scripting vulnerability. When an administrator restores a backup from a file, it's possible to trigger an error with a specially crafted file that can be displayed on the web page. Since the error message contains the invalid part of the file, any JavaScript code in the file is executed.

Affected packages (1)

Packagist/thorsten/phpmyfaqfrom 0, < 3.2.0-beta.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.2	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-3469
PATCHhttps://github.com/thorsten/phpMyFAQ
WEBhttps://github.com/thorsten/phpmyfaq/commit/04a0183c25dd425f4c2bfb5f75b7650b932ae278
WEBhttps://huntr.dev/bounties/3565cfc9-82c4-4db8-9b8f-494dd81b56ca