CVE-2024-28108

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the contentLink parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ. This vulnerability is fixed in 3.2.6.

Published: Mar 25, 2024
Updated: May 4, 2025
CVE: CVE-2024-28108
GHSA: GHSA-48vw-jpf8-hwqh
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79
CWE-80

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
phpmyfaq / phpmyfaq	3.2.5	3.2.5.x
phpmyfaq / phpmyfaq	3.2.5	3.2.6
phpmyfaq / phpmyfaq	3.2.5	3.2.5.x

https://github.com/thorsten/phpMyFAQ/commit/4fed1d9602f0635260f789fe85995789d94d6634
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-48vw-jpf8-hwqh

Vulnerability Database

290,278

CVE-2024-28108