N/A

Multiple cross-site scripting (XSS) vulnerabilities in index.php in phpMyFAQ before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via (1) the lang parameter in a sitemap action, (2) the search parameter in a search action, (3) the tagging_id parameter in a search action, (4) the highlight parameter in an artikel action, (5) the artlang parameter in an artikel action, (6) the letter parameter in a sitemap action, (7) the lang parameter in a show action, (8) the cat parameter in a show action, (9) the newslang parameter in a news action, (10) the artlang parameter in a send2friend action, (11) the cat parameter in a send2friend action, (12) the id parameter in a send2friend action, (13) the srclang parameter in a translate action, (14) the id parameter in a translate action, (15) the cat parameter in a translate action, (16) the cat parameter in an add action, or (17) the question parameter in an add action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

N/A

N/A

phpMyFAQ多个页面URL参数跨站脚本漏洞

phpMyFAQ是一个多语言，完全数据库驱动的FAQ系统。它支持多种数据库来存储所有数据。 phpMyFAQ的脚本index.php中存在多个跨站脚本攻击漏洞。phpMyFAQ没有正确地过滤用户提交给多个页面的变量，远程攻击者可以通过特制的URL请求向页面的输出注入JavaScript代码，导致窃取域Cookie，如会话标识符。这些页面变量包含：(1)sitemap功能中的lang参数；(2)search功能中的search参数；(3)search功能中的tagging_id参数；(4)artikel功能

N/A

N/A