CVE-2024-28106 MEDIUM

CVE-2024-28106: phpMyFAQ Stored XSS at FAQ News Content

Vendor Thorsten

Product phpMyFAQ

Weakness CWE-79 · XSS

Published March 25, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. This vulnerability is fixed in 3.2.6.

Key dates

02Disclosure timeline

March 25, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-28106

Related vulnerabilities

04Related CVE

CVE-2019-15994 Cisco Stealthwatch Enterprise Cross-Site Scripting Vulnerability CVE-2025-2069 CVE-2023-5230 TM WooCommerce Compare & Wishlist <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2024-1935 Giveaways and Contests by RafflePress <= 1.12.5 - Unauthenticated Stored Cross-Site Scripting CVE-2026-35035 CI4MS Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS