CVE-2024-24574: 
PHP vulnerability analysis and mitigation

phpMyFAQ, an open source FAQ web application for PHP 8.1+ and MySQL/PostgreSQL, was found to contain a cross-site scripting (XSS) vulnerability identified as CVE-2024-24574. The vulnerability was discovered in version 3.2.4 and earlier versions, where an unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php allowed the execution of JavaScript code on the client side. The issue was patched in version 3.2.5 (GitHub Advisory).

The vulnerability stems from improper sanitization of filename data in the attachments.php file. The code directly rendered file attachments from user tables using a shorthand echo without any prior sanitation, allowing malicious JavaScript code to be executed. The vulnerability is triggered when an attacker with appropriate permissions uploads attachments through the endpoint http://{base_url}/admin/?action=editentry and manipulates the filename parameter during the POST request to /admin/index.php?action=ajax&ajax=att&ajaxaction=upload (GitHub Advisory).

The vulnerability allows attackers with attachment upload permissions to store XSS payloads in the faqattachment table's filename column. When these stored payloads are rendered on pages listing the files, they affect other users within the hierarchy. While cookie theft is prevented due to HttpOnly flags, attackers could potentially crash the application using looping JavaScript payloads (GitHub Advisory).

The vulnerability has been patched in phpMyFAQ version 3.2.5. The fix involves implementing proper sanitization using the existing Strings::htmlentities class from phpMyFAQ\Strings to sanitize the filename output (GitHub Commit).