Kevinnivekkevin

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 3.2.6 **Description** There is a Path Traversal vulnerability in Attachments that allows attackers with admin rights to upload malicious files to other locations of the web root. This issue can be exploited by remote attackers, potentially leading to the upload of malicious files outside the specified directory. **Recommendations** For versions prior to 3.2.6, upgrade to version 3.2.6 to fix the Path Traversal vulnerability in Attachments. As a temporary workaround, consider restricting the attachment location settings to prevent path traversal until the upgrade is applied. Additionally, restrict access to the attachment upload feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions 8.1 and later **Description** The issue is related to the lack of protection for the web page structure, allowing an attacker to conduct cross-site scripting (XSS) attacks using specially crafted .html files. An attacker with admin privileges can upload an attachment containing JavaScript code without an extension, and the application will render it as HTML, enabling XSS attacks. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** For phpMyFAQ versions 8.1 and later, consider disabling the ability to upload attachments without extensions as a temporary workaround until a patch is available. Restrict access to the attachment upload feature to minimize the risk of exploitation. Avoid using the attachment upload feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 3.2.6 **Description** The issue is related to the inadequacy of PHP's `FILTER VALIDATE EMAIL` function, which only validates the email format, not its content. This allows an attacker to execute arbitrary client-side JavaScript within the context of another user's phpMyFAQ session. The `email` field in phpMyFAQ's user control panel page is vulnerable to stored XSS attacks. When the stored data is retrieved and displayed on web pages, it is not properly sanitized to remove or neutralize any potentially harmful content, such as JavaScript code, which leads to Stored XSS. **Recommendations** For versions prior to 3.2.6, update to version 3.2.6 to fix the vulnerability. As a temporary workaround, consider restricting access to the `email` field in the user control panel page until the update is applied. Additionally, avoid using the `FILTER VALIDATE EMAIL` function alone for validating email content, and ensure proper sanitization of user-input data to prevent stored XSS attacks.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 3.2.6 **Description** The issue is related to the manipulation of the `news` parameter in a POST request, allowing an attacker to inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. This enables an attacker to execute arbitrary client-side JavaScript within the context of another user's phpMyFAQ session. **Recommendations** For versions prior to 3.2.6, update to version 3.2.6 to resolve the issue. As a temporary workaround, consider restricting access to the news page or disabling the ability to edit FAQ news until the update is applied. Avoid using the `news` parameter in POST requests to the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 3.2.6 **Description** The issue is related to insufficient validation on the `contentLink` parameter, allowing unauthenticated users to inject HTML code into the page, which may affect other users. This requires that adding new FAQs is allowed for guests and that the admin does not check the content of a newly added FAQ. Attackers can manipulate the appearance and functionality of web pages by injecting malicious HTML code, leading to undesirable outcomes such as defacing the website, redirecting users to malicious sites, or altering the content to deceive users. **Recommendations** For versions prior to 3.2.6, update to version 3.2.6 to fix the vulnerability. As a temporary workaround, consider disabling the ability for guests to add new FAQs or ensure that admins check the content of newly added FAQs to minimize the risk of exploitation. Restrict access to the `contentLink` parameter to prevent HTML injection until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 3.2.6 **Description** The category image upload function in phpMyFAQ is vulnerable to manipulation of the `Content-type` and `lang` parameters, allowing attackers to upload malicious files with a .php extension, potentially leading to remote code execution (RCE) on the system. Attackers can upload malicious files containing executable code, allowing them to take control of the vulnerable system, execute arbitrary commands, steal sensitive data, disrupt services, and potentially escalate their privileges. **Recommendations** For versions prior to 3.2.6, update to version 3.2.6 to resolve the issue. As a temporary workaround, consider restricting access to the category image upload function to minimize the risk of exploitation. Additionally, forcing the getFileExtension function to return one of the allowed mimetypes instead of an empty string can help prevent the uploaded file from being executed as a PHP file.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ version 3.2.5 **Description** A SQL injection vulnerability has been discovered in the "Add News" functionality due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve remote code execution. The vulnerable field lies in the `authorEmail` field which uses PHP's `FILTER VALIDATE EMAIL` filter. This filter is insufficient in protecting against SQL injection attacks and should still be properly escaped. **Recommendations** For phpMyFAQ version 3.2.5, update to version 3.2.6 to fix the SQL injection vulnerability. As a temporary workaround, consider properly escaping the `authorEmail` field to prevent SQL injection attacks. Restrict access to the "Add News" functionality to minimize the risk of exploitation. Avoid using the `authorEmail` field in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 3.2.6 **Description** A SQL injection vulnerability has been discovered in the `insertentry` and `saveentry` functions when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve remote code execution. The vulnerability can be exploited by modifying the `email` and `notes` parameters in the body of the POST request to the `/admin/?action=insertentry` and `/admin/?action=saveentry` API endpoints. **Recommendations** To resolve the issue, update phpMyFAQ to version 3.2.6 or later. As a temporary workaround, consider restricting access to the `insertentry` and `saveentry` functions until a patch is available. Additionally, restrict the use of the `email` and `notes` parameters in the affected API endpoints to minimize the risk of exploitation.