CVE-2024-29179

2024-03-2521:15:47

CWE-79

[email protected]

web.nvd.nist.gov

cve-2024-29179

phpmyfaq

xss

php

mysql

postgresql

admin privileges

attachment

js code

html rendering

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS attacks.

CNA Affected

[
  {
    "vendor": "thorsten",
    "product": "phpMyFAQ",
    "versions": [
      {
        "version": "3.2.5",
        "status": "affected"
      }
    ]
  }
]