Search for packages
| purl | pkg:composer/thorsten/phpmyfaq@2.9.0-alpha2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-15bx-wfer-qygk
Aliases: CVE-2023-2429 GHSA-r69v-q48g-3966 |
Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.13. |
Affected by 41 other vulnerabilities. |
|
VCID-15yp-h3fj-pbb1
Aliases: CVE-2023-2427 GHSA-5xq3-7mw9-wj5p |
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.13. |
Affected by 41 other vulnerabilities. |
|
VCID-1kny-sn17-gbdz
Aliases: CVE-2023-5320 GHSA-pp4w-g5p4-85p2 |
Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18. |
Affected by 27 other vulnerabilities. |
|
VCID-1q6p-7t7t-87e5
Aliases: CVE-2023-5317 GHSA-5jwv-m8h3-69cg |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18. |
Affected by 27 other vulnerabilities. |
|
VCID-1qwx-htn1-4bg8
Aliases: CVE-2026-46364 GHSA-289f-fq7w-6q2w |
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captcha endpoint by crafting malicious User-Agent headers to perform time-based blind SQL injection, extracting sensitive data including user credentials, admin tokens, and SMTP credentials from the database. |
Affected by 1 other vulnerability. |
|
VCID-1rpy-1jkw-w3fx
Aliases: CVE-2023-0880 GHSA-f9c6-4j9h-6c5r |
Misinterpretation of Input in GitHub repository thorsten/phpmyfaq prior to 3.1.11. |
Affected by 65 other vulnerabilities. |
|
VCID-1v6k-n15u-1bcm
Aliases: CVE-2022-3608 GHSA-6rj8-9cm9-6gff |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-alpha. |
Affected by 30 other vulnerabilities. |
|
VCID-2bb7-xtyn-dbcq
Aliases: CVE-2023-5864 GHSA-g5hp-328h-jj98 |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.1. |
Affected by 26 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-2bsv-7dt5-6qcu
Aliases: CVE-2024-55889 GHSA-m3r7-8gw7-qwvc |
phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue. |
Affected by 22 other vulnerabilities. |
|
VCID-2wd2-u5mg-suh4
Aliases: CVE-2023-5867 GHSA-prrv-r843-4p75 |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.2. |
Affected by 22 other vulnerabilities. |
|
VCID-4ej8-n833-fuf4
Aliases: CVE-2023-1756 GHSA-8p48-ghv5-7qq7 |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-569v-kyhm-6bd7
Aliases: CVE-2022-4408 GHSA-rjf6-wj7r-5fj2 |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.9. |
Affected by 84 other vulnerabilities. |
|
VCID-57ev-2w6v-mbbs
Aliases: CVE-2026-24421 GHSA-wm8h-26fv-mg7g |
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17. |
Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-5pw3-qxh6-6ufr
Aliases: CVE-2026-46366 GHSA-99qv-g4x9-mgc3 |
phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solution_id_{id}.html endpoint. Attackers can sequentially iterate solution IDs to discover all FAQs including those restricted to specific users or groups, leaking sensitive metadata through redirect Location headers and page canonical links. |
Affected by 1 other vulnerability. |
|
VCID-5v8s-4wnz-43ef
Aliases: CVE-2018-16650 GHSA-p57w-9q28-j6v7 |
Affected by 91 other vulnerabilities. |
|
|
VCID-5wsg-7979-dqgs
Aliases: CVE-2025-62519 GHSA-fxm2-cmwj-qvx4 |
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14. |
Affected by 20 other vulnerabilities. |
|
VCID-6jmj-n5mz-bba8
Aliases: CVE-2026-24420 GHSA-7p9h-m7m8-vhhv |
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version |
Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-6w5z-nvj8-wke8
Aliases: CVE-2023-5865 GHSA-f728-prhw-2g68 |
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. |
Affected by 22 other vulnerabilities. |
|
VCID-7tpb-1avq-zfhu
Aliases: CVE-2026-46361 GHSA-pqh6-8fxf-jx22 |
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass html_entity_decode(strip_tags()) processing in SearchController.php, executing arbitrary JavaScript in every visitor's browser context including administrators. |
Affected by 1 other vulnerability. |
|
VCID-8fkr-xfw6-ffcj
Aliases: CVE-2023-1759 GHSA-4wfc-ghv5-2v7j |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-8hxw-rvte-33a1
Aliases: CVE-2023-0314 GHSA-m9xr-8cx7-53pj |
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
Affected by 75 other vulnerabilities. |
|
VCID-8k51-budg-h3ak
Aliases: CVE-2026-45007 GHSA-rm98-82fr-mcfx |
phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT). Any authenticated user can enumerate system configuration metadata including permission model, cache backend, mail provider, and translation provider by querying /admin/api/configuration endpoints, violating least privilege access control. |
Affected by 1 other vulnerability. |
|
VCID-8tff-qn8m-r3hc
Aliases: CVE-2023-1875 GHSA-ch5w-2994-6h82 |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-8vqk-5ha5-4bae
Aliases: CVE-2023-2753 GHSA-vppq-6ff8-2m8w |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta. |
Affected by 28 other vulnerabilities. |
|
VCID-9mx6-54u5-fugf
Aliases: CVE-2026-34974 GHSA-5crx-pfhq-4hgg |
Affected by 13 other vulnerabilities. |
|
|
VCID-ajev-ydxv-nbd5
Aliases: CVE-2023-1879 GHSA-m9qm-m5w5-9pgj |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-aku3-vveb-gugg
Aliases: CVE-2023-1886 GHSA-4cr4-x82x-hwm9 |
Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-ax4d-t793-8bas
Aliases: CVE-2023-0786 GHSA-jfpg-jggf-rpph |
Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.11. |
Affected by 65 other vulnerabilities. |
|
VCID-b214-zgc8-4qdh
Aliases: CVE-2023-1882 GHSA-jph3-3j24-pg3j |
Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-b4yy-mtkz-hybq
Aliases: CVE-2023-1878 GHSA-gcmq-7652-x98j |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-b64e-gffa-5kg7
Aliases: CVE-2024-54141 GHSA-vrjr-p3xp-xx2x |
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0. |
Affected by 21 other vulnerabilities. |
|
VCID-bfsb-58cj-mfaa
Aliases: CVE-2023-1758 GHSA-3j93-7rf7-p7m6 |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-btr7-sehp-zbac
Aliases: CVE-2023-0312 GHSA-6449-vf6p-9hfp |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
Affected by 75 other vulnerabilities. |
|
VCID-c229-su7g-v3dg
Aliases: CVE-2023-2550 GHSA-5mf7-p346-7rm8 |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.13. |
Affected by 41 other vulnerabilities. |
|
VCID-cjzd-5q9t-nfek
Aliases: CVE-2023-1760 GHSA-7q9c-f2v8-j8gw |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-cnr9-cykp-bbaw
Aliases: CVE-2023-53929 GHSA-x2v3-9p22-w3x6 |
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file. |
Affected by 41 other vulnerabilities. |
|
VCID-dc77-t7y6-z3ab
Aliases: CVE-2023-0309 GHSA-25c3-7fvj-v45j |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
Affected by 75 other vulnerabilities. |
|
VCID-e3h4-tm9q-dufz
Aliases: CVE-2022-3754 GHSA-2rr3-rv49-p42f |
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. |
Affected by 87 other vulnerabilities. |
|
VCID-e4ep-gxfy-jbah
Aliases: CVE-2023-5866 GHSA-34w4-wrqp-j47g |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1. |
Affected by 26 other vulnerabilities. |
|
VCID-e6u1-1y99-5khx
Aliases: CVE-2023-0789 GHSA-6vp5-vv9p-7q62 |
Command Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11. |
Affected by 65 other vulnerabilities. |
|
VCID-ecpv-3xqn-eqf8
Aliases: CVE-2026-46360 GHSA-whqh-9pq5-c7r3 |
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQ_EDIT permission can upload malicious SVG files with deeply nested ampersand encoding around numeric HTML entities to reconstruct javascript: URLs, which execute arbitrary JavaScript when clicked by other users viewing the uploaded SVG. |
Affected by 1 other vulnerability. |
|
VCID-emzq-e5ru-w3cx
Aliases: CVE-2026-27836 GHSA-w22q-m2fm-x9f4 |
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Version 4.0.18 fixes the issue. |
Affected by 14 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-fnfe-xws9-8bgg
Aliases: CVE-2023-0310 GHSA-9jff-8xmm-mw22 |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
Affected by 75 other vulnerabilities. |
|
VCID-gj1u-m1qq-1qb1
Aliases: CVE-2023-1885 GHSA-xxm6-ff3x-v4vm |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-gnxm-rq5g-g3d9
Aliases: CVE-2023-1887 GHSA-gx43-fqrx-6fcw |
Business Logic Errors in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-gsjf-hmab-ruew
Aliases: CVE-2023-0308 GHSA-w475-749h-c77m |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
Affected by 75 other vulnerabilities. |
|
VCID-gvt4-1vk8-8fbx
Aliases: CVE-2023-1883 GHSA-2wjp-w7g7-h63q |
Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-h2wj-7wb2-x3hz
Aliases: CVE-2023-3469 GHSA-v6g2-jwrm-h5r5 |
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.2. |
Affected by 27 other vulnerabilities. |
|
VCID-h499-pfbv-t7hr
Aliases: CVE-2022-3766 GHSA-mg5h-rhjq-6v84 |
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.8. |
Affected by 87 other vulnerabilities. |
|
VCID-hygm-7h9w-x7cs
Aliases: CVE-2023-1762 GHSA-xww4-w6ff-5q3g |
Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-jq9j-su28-xken
Aliases: CVE-2023-0791 GHSA-c38p-vw6j-qjpr |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.11. |
Affected by 65 other vulnerabilities. |
|
VCID-kfmg-41jk-qfh6
Aliases: CVE-2023-1755 GHSA-hp8m-g55r-9cfq |
Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-kppj-ng9a-9fhs
Aliases: CVE-2023-6889 GHSA-w8xj-992g-842f |
Affected by 32 other vulnerabilities. |
|
|
VCID-m9y5-g412-zbeh
Aliases: CVE-2023-0307 GHSA-4p88-cfhq-f3vg |
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
Affected by 75 other vulnerabilities. |
|
VCID-mt7j-r561-tubz
Aliases: CVE-2023-0311 GHSA-g92r-9rxw-cmgx |
Improper Authentication in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
Affected by 75 other vulnerabilities. |
|
VCID-naqh-qumg-37gh
Aliases: CVE-2023-2428 GHSA-8595-6653-96p2 |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.13. |
Affected by 41 other vulnerabilities. |
|
VCID-p68j-sbvd-yuh4
Aliases: CVE-2026-24422 GHSA-j4rc-96xj-gvqc |
phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17. |
Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-pb65-wunz-tye6
Aliases: CVE-2023-2999 GHSA-94r7-63g8-c4jw |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.14. |
Affected by 37 other vulnerabilities. |
|
VCID-q6zp-tnjb-pye3
Aliases: CVE-2026-34973 GHSA-gcp9-5jc8-976x |
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records — including content that was not meant to be surfaced — resulting in information disclosure. This issue has been patched in version 4.1.1. |
Affected by 13 other vulnerabilities. |
|
VCID-qb4k-vsfg-wycb
Aliases: CVE-2023-0788 GHSA-r6cw-356h-mvwg |
Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11. |
Affected by 65 other vulnerabilities. |
|
VCID-qhsm-g24v-k7gj
Aliases: CVE-2026-32629 GHSA-98gw-w575-h2ph |
Affected by 13 other vulnerabilities. |
|
|
VCID-qpnp-kehq-f7gm
Aliases: CVE-2023-1884 GHSA-gmjj-g2rm-xwm7 |
Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-qrn1-cpad-puht
Aliases: CVE-2023-0790 GHSA-6vv4-qq3r-9rv8 |
Uncaught Exception in GitHub repository thorsten/phpmyfaq prior to 3.1.11. |
Affected by 65 other vulnerabilities. |
|
VCID-r24s-k7p3-f7e4
Aliases: CVE-2023-0792 GHSA-wjrj-jc3w-ppfw |
Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11. |
Affected by 65 other vulnerabilities. |
|
VCID-rp5d-6b4k-33g5
Aliases: CVE-2023-4006 GHSA-2xvx-368h-qcmv |
Affected by 34 other vulnerabilities. |
|
|
VCID-rrh1-efbq-tugt
Aliases: CVE-2023-1880 GHSA-m8q9-7v2f-qjx9 |
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-rrz3-kbbd-eyhq
Aliases: CVE-2026-45010 GHSA-9pq7-mfwh-xx2j |
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access. |
Affected by 1 other vulnerability. |
|
VCID-spjh-4tvh-gyca
Aliases: CVE-2023-1754 GHSA-gvg8-r8w2-9gfj |
Improper Neutralization of Input During Web Page Generation in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-tpbv-urbk-h7gf
Aliases: CVE-2026-46359 GHSA-pm8c-3qq3-72w7 |
phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break out of string literals and execute arbitrary database queries. |
Affected by 1 other vulnerability. |
|
VCID-tq9d-mguz-8bhp
Aliases: CVE-2023-1753 GHSA-4p4m-5qp7-479x |
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-txxg-bugj-6bd4
Aliases: CVE-2026-45008 GHSA-gh9p-q46p-57g2 |
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope. |
Affected by 1 other vulnerability. |
|
VCID-ty89-v3b2-7yf7
Aliases: CVE-2023-0793 GHSA-fxrq-xhj9-rf5j |
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.11. |
Affected by 65 other vulnerabilities. |
|
VCID-u37t-naar-pbav
Aliases: CVE-2025-69200 GHSA-9cg9-4h4f-j6fg |
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue. |
Affected by 18 other vulnerabilities. |
|
VCID-uerm-mjrz-vyg4
Aliases: CVE-2023-5227 GHSA-qcjg-hvg6-hxcp |
Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8. |
Affected by 27 other vulnerabilities. |
|
VCID-ufhy-fdmw-hkdv
Aliases: CVE-2023-5319 GHSA-j5ww-5xf4-hqm2 |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18. |
Affected by 27 other vulnerabilities. |
|
VCID-v4hc-w2g2-63f5
Aliases: CVE-2023-0306 GHSA-96x6-jf5w-84c5 |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
Affected by 75 other vulnerabilities. |
|
VCID-vjqh-59nn-5ude
Aliases: CVE-2026-46363 GHSA-f5p7-2c9q-8896 |
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags via question or answer parameters, which execute in every visitor's browser when FAQ content is rendered with the raw Twig filter. |
Affected by 1 other vulnerability. |
|
VCID-wcpf-w4c4-ubba
Aliases: CVE-2023-2752 GHSA-j657-pjgc-c4h6 |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta. |
Affected by 28 other vulnerabilities. |
|
VCID-x1gz-3d4a-1qdy
Aliases: CVE-2023-4007 GHSA-q9vm-29ph-p7mp |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.16. |
Affected by 34 other vulnerabilities. |
|
VCID-x4fs-3h7u-4bbe
Aliases: CVE-2023-0313 GHSA-x2h8-4mhh-5hwh |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
Affected by 75 other vulnerabilities. |
|
VCID-xt5z-y1n5-37fn
Aliases: CVE-2023-5863 GHSA-j4vj-w5rj-8grw |
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.2. |
Affected by 22 other vulnerabilities. |
|
VCID-yckn-74u4-pkaw
Aliases: GHSA-7cx3-2qx2-3g6w |
phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags ## Summary The `TagController::delete()` endpoint at `DELETE /admin/api/content/tags/{tagId}` only verifies that the user is logged in (`userIsAuthenticated()`), but does not check any permission. Any authenticated user — including regular non-admin frontend users — can delete any tag by ID. This contrasts with `TagController::update()` and `TagController::search()`, which both enforce the `FAQ_EDIT` permission. ## Details In `phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/TagController.php`, the `delete()` method (line 121-133) uses only `$this->userIsAuthenticated()`: ```php #[Route(path: 'content/tags/{tagId}', name: 'admin.api.content.tags.id', methods: ['DELETE'])] public function delete(Request $request): JsonResponse { $this->userIsAuthenticated(); // Only checks isLoggedIn() — no permission check $tagId = (int) Filter::filterVar($request->attributes->get('tagId'), FILTER_VALIDATE_INT); if ($this->tags->delete($tagId)) { return $this->json(['success' => Translation::get(key: 'ad_tag_delete_success')], Response::HTTP_OK); } return $this->json(['error' => Translation::get(key: 'ad_tag_delete_error')], Response::HTTP_BAD_REQUEST); } ``` Compare with `update()` (line 48-71) which properly enforces authorization: ```php public function update(Request $request): JsonResponse { $this->userHasPermission(PermissionType::FAQ_EDIT); // Proper permission check // ... also verifies CSRF token ... } ``` The `userIsAuthenticated()` method in `AbstractController` (line 258-263) only checks `$this->currentUser->isLoggedIn()`: ```php protected function userIsAuthenticated(): void { if (!$this->currentUser->isLoggedIn()) { throw new UnauthorizedHttpException(challenge: 'User is not authenticated.'); } } ``` There is no admin-level middleware in the `Kernel` — it registers only RouterListener, LanguageListener, ControllerContainerListener, and exception listeners. The admin API entry point (`admin/api/index.php`) shares the same bootstrap and session as the frontend, meaning a frontend user's session cookie is valid for admin API requests. Additionally, this endpoint lacks CSRF token verification (unlike `update()`), though the primary issue is the missing authorization since the attack vector is a logged-in user acting directly. ## PoC ```bash # Step 1: Register as a regular user on the phpMyFAQ frontend # (or use any existing non-admin authenticated session) # Step 2: As the authenticated non-admin user, delete tag with ID 1: curl -X DELETE 'https://target.com/admin/api/content/tags/1' \ -H 'Cookie: PHPSESSID=<regular_user_session>' # Expected: 401 or 403 (user lacks FAQ_EDIT permission) # Actual: 200 OK with {"success": "..."} # Step 3: Enumerate and delete all tags: for i in $(seq 1 100); do curl -s -X DELETE "https://target.com/admin/api/content/tags/$i" \ -H 'Cookie: PHPSESSID=<regular_user_session>' done ``` ## Impact Any authenticated user (including regular frontend users who registered through the public registration form) can delete all tags in the phpMyFAQ instance. This results in: - **Data integrity loss:** Tags are permanently deleted from the database. All FAQ-to-tag associations are destroyed. - **Disruption of FAQ organization:** Tag-based navigation, filtering, and tag clouds become empty or broken. - **No recoverability without backup:** Deleted tags and their associations cannot be restored without a database backup. The impact is limited to tags (not FAQ content itself), but in large installations with extensive tag taxonomies, this could significantly degrade usability. ## Recommended Fix Add the `FAQ_EDIT` permission check and CSRF token verification to `TagController::delete()`, consistent with `TagController::update()`: ```php #[Route(path: 'content/tags/{tagId}', name: 'admin.api.content.tags.id', methods: ['DELETE'])] public function delete(Request $request): JsonResponse { $this->userHasPermission(PermissionType::FAQ_EDIT); $tagId = (int) Filter::filterVar($request->attributes->get('tagId'), FILTER_VALIDATE_INT); if ($this->tags->delete($tagId)) { return $this->json(['success' => Translation::get(key: 'ad_tag_delete_success')], Response::HTTP_OK); } return $this->json(['error' => Translation::get(key: 'ad_tag_delete_error')], Response::HTTP_BAD_REQUEST); } ``` At minimum, add `$this->userHasPermission(PermissionType::FAQ_EDIT)` to enforce the same authorization as the update and search endpoints. Consider also adding a dedicated `TAG_DELETE` permission type for more granular access control. |
Affected by 1 other vulnerability. |
|
VCID-ygjv-jn67-p3h9
Aliases: CVE-2022-4407 GHSA-cp9c-phxx-55xm |
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.9. |
Affected by 84 other vulnerabilities. |
|
VCID-yh2p-b5px-b7hz
Aliases: CVE-2023-1757 GHSA-jvjx-qqh7-6x6c |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
Affected by 46 other vulnerabilities. |
|
VCID-yn5s-m3hv-7be8
Aliases: CVE-2023-2998 GHSA-974q-4vvr-vg9c |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.14. |
Affected by 37 other vulnerabilities. |
|
VCID-z4qa-mnne-pyay
Aliases: CVE-2023-6890 GHSA-4h37-q5j3-hw96 |
Affected by 32 other vulnerabilities. |
|
|
VCID-z8kb-6u51-8bd9
Aliases: CVE-2023-5316 GHSA-58v7-58c2-qwm9 |
Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18. |
Affected by 27 other vulnerabilities. |
|
VCID-zaaf-n1z8-v7b3
Aliases: CVE-2023-0794 GHSA-gf34-hh5r-f74h |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.11. |
Affected by 65 other vulnerabilities. |
|
VCID-zpeg-pwqh-hbby
Aliases: CVE-2022-3765 GHSA-wr74-2v66-57pp |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.8. |
Affected by 87 other vulnerabilities. |
|
VCID-zr1w-jzzj-a7gd
Aliases: CVE-2026-46362 GHSA-hpgw-ww76-c68r |
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration. |
Affected by 1 other vulnerability. |
|
VCID-ztw9-5sne-p3e9
Aliases: CVE-2022-4409 GHSA-wpgc-5cr5-h9gg |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9. |
Affected by 84 other vulnerabilities. |
|
VCID-zwsu-pwxb-u3h5
Aliases: CVE-2023-0787 GHSA-gxxj-x426-xj2w |
Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.11. |
Affected by 65 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||