Security Advisory 2010-09-28
phpMyFAQ 2.6.x XSS vulnerabilities
- Issued on:
- 2010-09-28
- Software:
- phpMyFAQ <= 2.6.8
- Risk:
- High
- Platforms:
- all
The phpMyFAQ Team has learned of a security issue that have been discovered in phpMyFAQ 2.6.x
Description
phpMyFAQ doesn't sanitize some variables in different pages correctly. With a properly crafted
URL it is e.g. possible to inject JavaScript code into the output of a page, which could result
in the leakage of domain cookies (f.e. session identifiers).
Solution
The phpMyFAQ Team has released new phpMyFAQ version 2.6.9 which fix the vulnerability. All users
of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest
version.
Workaround
There's no workaround except installing phpMyFAQ 2.6.9.
Credits
The phpMyFAQ Team would like to thank Yam Mesicka for reporting the vulnerability.