CVE-2024-28108: phpMyFAQ Stored HTML Injection at contentLink

March 25, 2024

Due to insufficient validation on the contentLink parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. Also, requires that adding new FAQs is allowed for guests and that the admin doesn’t check the content of a newly added FAQ.

References

github.com/advisories/GHSA-48vw-jpf8-hwqh
github.com/thorsten/phpMyFAQ
github.com/thorsten/phpMyFAQ/commit/4fed1d9602f0635260f789fe85995789d94d6634
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-48vw-jpf8-hwqh
nvd.nist.gov/vuln/detail/CVE-2024-28108

Code Behaviors & Features

Detect and mitigate CVE-2024-28108 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →