Security Advisory 2023-10-27
XSS and insufficient session expiration vulnerabilities in phpMyFAQ
- Issued on:
- 2023-10-27
- Software:
- phpMyFAQ <= 3.2.1
- Risk:
- Medium
- Platforms:
- all
The phpMyFAQ Team has learned of multiple security issues that'd been discovered in phpMyFAQ 3.2.1 and
earlier. phpMyFAQ contains cross-site scripting (XSS) and insufficient session expiration vulnerabilities.
Description
phpMyFAQ doesn't implement sufficient checks to avoid XSS when adding malicious content into attachments and
administration. phpMyFAQ also implemented an insufficient session expiration.
Solution
The phpMyFAQ Team has released the new phpMyFAQ version 3.2.2, which fixes these vulnerabilities. All
users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 3.2.2.
References
Thanks
The phpMyFAQ team would like to thank @nyeooo, @ngductung and Matt Zajork for the responsible disclosures of these
vulnerabilities.