4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers.
news
parameter in the POST body with the following payload: %3cscript%3ealert('xssContent')%3c%2fscript%3e
This allows an attacker to execute arbitrary client side JavaScript within the context of another user’s phpMyFAQ session
CPE | Name | Operator | Version |
---|---|---|---|
phpmyfaq/phpmyfaq | eq | 3.2.5 |
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%