CVE-2024-56199
Published: 02 January 2025
Summary
CVE-2024-56199 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 5.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of inputs to the FAQ editor endpoint to prevent injection of malicious HTML content that disrupts the user interface.
SI-15 mandates filtering and sanitization of FAQ content output prior to rendering, neutralizing injected HTML elements like overlapping iframes and buttons.
SI-2 ensures timely flaw remediation by applying patches such as phpMyAdmin version 4.0.2 to fix the HTML injection vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
HTML injection in public-facing web app directly enables external defacement (T1491.002) via UI manipulation and exploitation of the application (T1190).
NVD Description
phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of the FAQ…
more
page's user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality. Exploiting this issue can lead to Denial of Service for legitimate users, damage to the user experience, and potential abuse in phishing or defacement attacks. Version 4.0.2 contains a patch for the vulnerability.
Deeper analysisAI
CVE-2024-56199 is an HTML injection vulnerability in phpMyFAQ, an open source FAQ web application. It affects versions starting no later than 3.2.10 and prior to 4.0.2, specifically in the FAQ editor at the endpoint /admin/index.php?action=editentry. Attackers can inject malicious HTML content that manipulates the page structure with malformed elements like overlapping buttons, images, and iframes styled to cover the entire screen, resulting in complete disruption of the FAQ page's user interface.
Exploitation requires network access, low complexity, high privileges (PR:H), and user interaction (UI:R), as reflected in its CVSS score of 5.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L). A privileged attacker, such as one with admin access to the editor, can render the page unusable for legitimate users, leading to denial of service, damage to user experience, and potential phishing or defacement attacks. The issue is linked to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page).
The GitHub security advisory (GHSA-ww33-jppq-qfrp) documents the vulnerability, and phpMyFAQ version 4.0.2 includes a patch to mitigate it.
Details
- CWE(s)