phpMyFAQ < 3.1.13 Multiple Vulnerabilities

2023-05-0400:00:00

plugins.openvas.org

phpmyfaq

multiple vulnerabilities

reflected xss

stored cross site scripting

user profile manipulation

vulnerable version

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.7

Confidence

High

EPSS

0.002

Percentile

60.9%

JSON

phpMyFAQ is prone to multiple vulnerabilities.

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:phpmyfaq:phpmyfaq";

if( description )
{
  script_oid("1.3.6.1.4.1.25623.1.0.126303");
  script_version("2023-10-13T05:06:10+0000");
  script_tag(name:"last_modification", value:"2023-10-13 05:06:10 +0000 (Fri, 13 Oct 2023)");
  script_tag(name:"creation_date", value:"2023-05-04 12:30:56 +0200 (Thu, 04 May 2023)");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-05-06 03:06:00 +0000 (Sat, 06 May 2023)");

  script_cve_id("CVE-2023-2427", "CVE-2023-2428", "CVE-2023-2429", "CVE-2023-2550");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("phpMyFAQ < 3.1.13 Multiple Vulnerabilities");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("phpmyfaq_detect.nasl");
  script_mandatory_keys("phpmyfaq/installed");

  script_tag(name:"summary", value:"phpMyFAQ is prone to multiple vulnerabilities.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"The following vulnerabilities exist:

  - CVE-2023-2427: Reflected XSS

  - CVE-2023-2428: Stored cross site scripting vulnerability in name field in add question module.

  - CVE-2023-2429: Application does not properly validate email addresses when updating user
  profiles. This vulnerability allows an attacker to manipulate their email address and change it
  to another email address that is already registered in the system, including email addresses
  belonging to other users such as the administrator. Once the attacker has control of the other
  user's email address, they can request to remove the user from the system, leading to a loss of
  data and access.

  - CVE-2023-2550: Stored XSS");

  script_tag(name:"affected", value:"phpMyFAQ prior to version 3.1.13.");

  script_tag(name:"solution", value:"Update to version 3.1.13 or later.");

  script_xref(name:"URL", value:"https://huntr.dev/bounties/89005a6d-d019-4cb7-ae88-486d2d44190d");
  script_xref(name:"URL", value:"https://huntr.dev/bounties/cee65b6d-b003-4e6a-9d14-89aa94bee43e/");
  script_xref(name:"URL", value:"https://huntr.dev/bounties/20d3a0b3-2693-4bf1-b196-10741201a540/");
  script_xref(name:"URL", value:"https://huntr.dev/bounties/840c8d91-c97e-4116-a9f8-4ab1a38d239b");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (!port = get_app_port(cpe: CPE))
  exit(0);

if (!version = get_app_version(cpe: CPE, port: port))
  exit(0);

if (version_is_less(version: version, test_version: "3.1.13")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "3.1.13");
  security_message(data: report, port: port);
  exit(0);
}

exit(99);