CVE-2024-24574

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). This vulnerability has been patched in version 3.2.5.

Published: Feb 5, 2024
Updated: May 4, 2025
CVE: CVE-2024-24574
GHSA: GHSA-7m8g-fprr-47fx
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79
CWE-80

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
phpmyfaq / phpmyfaq	-	3.2.5
phpmyfaq / phpmyfaq	-	3.2.5

https://github.com/thorsten/phpMyFAQ/commit/5479b4a4603cce71aa7eb4437f1c201153a1f1f5
https://github.com/thorsten/phpMyFAQ/pull/2827
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx
https://www.phpmyfaq.de/security/advisory-2024-02-05

Vulnerability Database

290,278

CVE-2024-24574