CVE-2024-27299 – phpMyFAQ SQL Injection at "Save News"

https://notcve.org/view.php?id=CVE-2024-27299

25 Mar 2024 — phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. A SQL injection vulnerability has been discovered in the the "Add News" functionality due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. The vulnerable field lies in the `authorEmail` field which uses PHP's `FILTER_VALIDATE_EMAIL` filt... • https://drive.google.com/drive/folders/1BFL8GHIBxSUxu0TneYf66KjFA0A4RZga?usp=sharing • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •