CVE-2017-14618 - PHPMyFAQ 2.9.8 - Cross-Site Scripting

October 12, 2017 2-minute read

Security Advisory: CVE-2017-14618 - PHPMyFAQ 2.9.8 - Cross-Site Scripting

OVERVIEW
Severity Rating: Medium
Confirmed Affected Versions: 2.9.8
Confirmed Patched Versions: 2.9.9

Vendor: phpMyFAQ

Vendor URL: http://www.phpmyfaq.de/
Vector: Remote
Status: Public
CVE: CVE-2017-14618
ExploitDB URL: https://www.exploit-db.com/exploits/42761/
phpMyFAQ Security Advisory: http://www.phpmyfaq.de/security/advisory-2017-10-19

PRODUCT DESCRIPTION
phpMyFAQ is a multilingual, completely database-driven FAQ-system. It supports various databases to store all data, PHP 5.4.4+ or HHVM 3.4.2+ is needed in order to access this data. phpMyFAQ also offers a multi-language Content Management System with a WYSIWYG editor and an Image Manager, flexible multi-user support with user and group based permissions on categories and records, a wiki-like revision feature, a news system, user-tracking, 40+ supported languages, enhanced automatic content negotiation, HTML5/CSS3 based templates, PDF-support, a backup-system, a dynamic sitemap, related FAQs, tagging, RSS feeds, built-in spam protection systems, OpenLDAP and Microsoft Active Directory support, and an easy to use installation script.
phpMyFAQ is developed and maintained by Thorsten Rinne
SUMMARY AND IMPACT
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an “Add New FAQ” action.
In phpMYFAQ Administrator has the privilege to “Add New FAQ” on the phpMyFAQ Portal. The “Questions” field does not properly filter and sanitize the user input which thus, results into a Stored Cross Site Scripting Vulnerability.
Whenever any user visits this portal, the admin’s (attacker’s) malicious JavaScript will be executed by the newly added faq on the user’s browser.

PROOF OF CONCEPT
https://www.youtube.com/watch?v=RujUCey_b-g

WORKAROUNDS

There is no workaround except for updating to the latest version of phpMyFAQ from here

Advisory Update: November 13, 2017