CVE-2024-28106
phpMyFAQ Stored Cross-site Scripting at FAQ News Content
Description
### Summary By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. ### PoC 1. Edit a FAQ news, intercept the request and modify the `news` parameter in the POST body with the following payload: `%3cscript%3ealert('xssContent')%3c%2fscript%3e` 2. Browse to the particular news page and the XSS should pop up.  ### Impact This allows an attacker to execute arbitrary client side JavaScript within the context of another user's phpMyFAQ session
How to fix CVE-2024-28106
To remediate CVE-2024-28106, upgrade the affected package to a fixed version below.
- —upgrade to 3.2.6 or later
Is CVE-2024-28106 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 3.2.5, < 3.2.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L |