Security Advisory 2017-04-02
Stored XSS in phpMyFAQ
- Issued on:
- 2017-04-02
- Software:
- phpMyFAQ <= 2.9.6
- Risk:
- High
- Platforms:
- all
The phpMyFAQ Team has learned of a security issue that have been discovered in phpMyFAQ 2.9.6 and
earlier. phpMyFAQ contains a stored vulnerability.
Description
phpMyFAQ relies on PHPs filter_input() function with FILTER_SANITIZE_STRING flag is used to sanitize strings inside
the functionality to save new FAQs. But this function doesn’t protect against XSS.
Solution
The phpMyFAQ Team has released the new phpMyFAQ versions 2.9.7 which fix the vulnerability. All users
of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 2.9.7.
References
Thanks
The phpMyFAQ teams would like to thank
Noman Shaikh for the responsible disclosure of this vulnerability.