CVE-2024-28108

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 3.2.6

Description The issue is related to insufficient validation on the contentLink parameter, allowing unauthenticated users to inject HTML code into the page, which may affect other users. This requires that adding new FAQs is allowed for guests and that the admin does not check the content of a newly added FAQ. Attackers can manipulate the appearance and functionality of web pages by injecting malicious HTML code, leading to undesirable outcomes such as defacing the website, redirecting users to malicious sites, or altering the content to deceive users.

Recommendations For versions prior to 3.2.6, update to version 3.2.6 to fix the vulnerability. As a temporary workaround, consider disabling the ability for guests to add new FAQs or ensure that admins check the content of newly added FAQs to minimize the risk of exploitation. Restrict access to the contentLink parameter to prevent HTML injection until the issue is resolved.