CVE-2024-27300

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 3.2.6

Description The issue is related to the inadequacy of PHP's FILTER VALIDATE EMAIL function, which only validates the email format, not its content. This allows an attacker to execute arbitrary client-side JavaScript within the context of another user's phpMyFAQ session. The email field in phpMyFAQ's user control panel page is vulnerable to stored XSS attacks. When the stored data is retrieved and displayed on web pages, it is not properly sanitized to remove or neutralize any potentially harmful content, such as JavaScript code, which leads to Stored XSS.

Recommendations For versions prior to 3.2.6, update to version 3.2.6 to fix the vulnerability. As a temporary workaround, consider restricting access to the email field in the user control panel page until the update is applied. Additionally, avoid using the FILTER VALIDATE EMAIL function alone for validating email content, and ensure proper sanitization of user-input data to prevent stored XSS attacks.