Lucene search

K
cve[email protected]CVE-2024-29179
HistoryMar 25, 2024 - 9:15 p.m.

CVE-2024-29179

2024-03-2521:15:47
CWE-79
web.nvd.nist.gov
30
cve-2024-29179
phpmyfaq
xss
php
mysql
postgresql
admin privileges
attachment
js code
html rendering

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

8.8%

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS attacks.

CNA Affected

[
  {
    "vendor": "thorsten",
    "product": "phpMyFAQ",
    "versions": [
      {
        "version": "3.2.5",
        "status": "affected"
      }
    ]
  }
]

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

8.8%