Security Advisory 2023-07-16

XSS and CSV injection vulnerabilities in phpMyFAQ

Issued on:

2023-07-16

Software:

phpMyFAQ <= 3.1.15

Risk:

Medium

Platforms:

all

The phpMyFAQ Team has learned of multiple security issues that'd been discovered in phpMyFAQ 3.1.13 and

earlier. phpMyFAQ contains cross-site scripting (XSS) and CSV injection vulnerabilities.

Description

phpMyFAQ doesn't implement sufficient checks to avoid XSS when intercepting malicious content into FAQs. Additionally

phpMyFAQ doesn't implement sufficient checks against CSV injections.

Solution

The phpMyFAQ Team has released the new phpMyFAQ version 3.1.16, which fixes these vulnerabilities. All

users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 3.1.16.

References

• XSS

• CSV Injection

Thanks

The phpMyFAQ team would like to thank @chonkysec, and @lujiefsi for the responsible disclosure of these

vulnerabilities.