CVE-2024-28106

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 3.2.6

Description The issue is related to the manipulation of the news parameter in a POST request, allowing an attacker to inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. This enables an attacker to execute arbitrary client-side JavaScript within the context of another user's phpMyFAQ session.

Recommendations For versions prior to 3.2.6, update to version 3.2.6 to resolve the issue. As a temporary workaround, consider restricting access to the news page or disabling the ability to edit FAQ news until the update is applied. Avoid using the news parameter in POST requests to the affected API endpoint until the issue is resolved.