CVE-2024-29179

2024-03-2521:15:47

CWE-79

[email protected]

web.nvd.nist.gov

phpmyfaq

xss

attachment vulnerability

web application

admin privileges

javascript

html rendering

cve-2024-29179

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

AI Score

4.7

Confidence

High

EPSS

Percentile

9.0%

JSON

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS attacks.