Lucene search

K
cvelistGitHub_MCVELIST:CVE-2024-29179
HistoryMar 25, 2024 - 8:27 p.m.

CVE-2024-29179 phpMyFAQ Stored Cross-site Scripting at File Attachments

2024-03-2520:27:55
CWE-79
GitHub_M
www.cve.org
cve-2024-29179
phpmyfaq
stored cross-site scripting
file attachments
admin privileges
html rendering
xss attacks
open source
php 8.1
mysql
postgresql
database

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS attacks.

CNA Affected

[
  {
    "vendor": "thorsten",
    "product": "phpMyFAQ",
    "versions": [
      {
        "version": "3.2.5",
        "status": "affected"
      }
    ]
  }
]

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

Related for CVELIST:CVE-2024-29179