Security Advisory 2014-02-04

phpMyFAQ vulnerable to XSS and CSRF

Issued on:

2014-02-04

Software:

phpMyFAQ <= 2.8.5

Risk:

High

Platforms:

all

The phpMyFAQ Team has learned of security issues that have been discovered in phpMyFAQ 2.8.5

and earlier. phpMyFAQ contains cross-site request forgery and cross-site scripting

vulnerabilities.

Description

An arbitrary script may be executed on the user's Internet Explorer when using an older

version of the browser. If a user views a malicious page while logged in, settings may be

changed unintentionally.

Solution

The phpMyFAQ Team has released a new phpMyFAQ version 2.8.6 which fixes thie vulnerability.

All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to

this latest version. Internet Explorer user are save with version 10 or later.

Workaround

There's no workaround except installing phpMyFAQ 2.8.6.

Credits

• CVE-2014-0813
• CVE-2014-0814

Thanks

The phpMyFAQ teams would like to thank

JPCERT Coordination Center for the responsible disclosure of this vulnerability.