CVE-2024-28106
MEDIUM4.3EPSS 0.16%phpMyFAQ Stored Cross-site Scripting at FAQ News Content
發布日:2024/3/25修改日:2024/3/25
描述
### Summary By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. ### PoC 1. Edit a FAQ news, intercept the request and modify the `news` parameter in the POST body with the following payload: `%3cscript%3ealert('xssContent')%3c%2fscript%3e` 2. Browse to the particular news page and the XSS should pop up.  ### Impact This allows an attacker to execute arbitrary client side JavaScript within the context of another user's phpMyFAQ session
受影響套件(1)
- Packagist/phpmyfaq/phpmyfaq>= 3.2.5, < 3.2.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L |