Security Advisory 2020-12-23
XSS in phpMyFAQ
- Issued on:
- 2020-12-23
- Software:
- phpMyFAQ <= 3.0.6
- Risk:
- Medium
- Platforms:
- all
The phpMyFAQ Team has learned of a security issue that has been discovered in phpMyFAQ 3.0.6 and earlier. phpMyFAQ
contains a cross-site scripting (XSS) vulnerability.
Description
phpMyFAQ does not implement sufficient checks to avoid XSS injection for displaying tags.
Solution
The phpMyFAQ Team has released the new phpMyFAQ versions 3.0.7 and 3.1.0-alpha.3 which fix the vulnerability. All
users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 3.0.7 or 3.1.0-alpha.3.
Thanks
The phpMyFAQ teams would like to thank Curtis Robinson from
Florida Tech for the responsible disclosure of thevulnerability and helping to fix it.