CVE-2017-14619 - PHPMyFAQ 2.9.8 - Cross-Site Scripting

Security Advisory: CVE-2017-14619 - PHPMyFAQ 2.9.8 - Cross-Site Scripting

OVERVIEW

Severity Rating: Medium

Confirmed Affected Versions: 2.9.8

Confirmed Patched Versions: 2.9.9

Vendor: phpMyFAQ

Vendor URL: http://www.phpmyfaq.de/

Vector: Remote

Status: Public

CVE: CVE-2017-14619

ExploitDB URL: https://www.exploit-db.com/exploits/42987/

phpMyFAQ Security Advisory: http://www.phpmyfaq.de/security/advisory-2017-10-19

PRODUCT DESCRIPTION

phpMyFAQ is a multilingual, completely database-driven FAQ-system. It supports various databases to store all data, PHP 5.4.4+ or HHVM 3.4.2+ is needed in order to access this data. phpMyFAQ also offers a multi-language Content Management System with a WYSIWYG editor and an Image Manager, flexible multi-user support with user and group based permissions on categories and records, a wiki-like revision feature, a news system, user-tracking, 40+ supported languages, enhanced automatic content negotiation, HTML5/CSS3 based templates, PDF-support, a backup-system, a dynamic sitemap, related FAQs, tagging, RSS feeds, built-in spam protection systems, OpenLDAP and Microsoft Active Directory support, and an easy to use installation script.
phpMyFAQ is developed and maintained by Thorsten Rinne

SUMMARY AND IMPACT

Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the “Title of your FAQ” field in the Configuration Module.

In phpMYFAQ Administrator has the privilege to edit the Configuration of the phpMyFAQ Portal, wherein he can also change the title of the Portal.  The “Title of your FAQ” field does not properly filter and sanitize the user input which thus, results into a Stored Cross Site Scripting Vulnerability.

Whenever any user visits this portal, the admin’s (attacker’s) malicious JavaScript will be executed by the title on the user’s browser.

PROOF OF CONCEPT
https://www.youtube.com/watch?v=iVbsxOcAqZw

WORKAROUNDS

There is no workaround except for updating to the latest version of phpMyFAQ from here

Advisory Update: November 13, 2017