CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55889 – phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames
https://notcve.org/view.php?id=CVE-2024-55889
13 Dec 2024 — phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue. • https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d • CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54141 – phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available
https://notcve.org/view.php?id=CVE-2024-54141
06 Dec 2024 — phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0. • https://github.com/thorsten/phpMyFAQ/commit/b9289a0b2233df864361c131cd177b6715fbb0fe • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.5EPSS: 2%CPEs: 1EXPL: 1CVE-2024-24574 – phpMyFAQ vulnerable to stored XSS on attachments filename
https://notcve.org/view.php?id=CVE-2024-24574
05 Feb 2024 — phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). This vulnerability has been patched in version 3.2.5. phpMyFAQ es una aplicación web de preguntas frecuentes de código abierto para PHP 8.1+ y MySQL, PostgreSQL y otras bases de datos. El eco inseguro del nombre de archivo en phpMyFAQ\phpmyfaq\admin\attachments.php conduce ... • https://github.com/thorsten/phpMyFAQ/commit/5479b4a4603cce71aa7eb4437f1c201153a1f1f5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 1CVE-2024-22208 – phpMyFAQ sharing FAQ functionality can easily be abused for phishing purposes
https://notcve.org/view.php?id=CVE-2024-22208
05 Feb 2024 — phpMyFAQ is an Open Source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. The phpMyFAQ application has a functionality where anyone can share a FAQ item to others. The front-end of this functionality allows any phpMyFAQ articles to be shared with 5 email addresses. Any unauthenticated actor can perform this action. • https://github.com/thorsten/phpMyFAQ/commit/a34d94ab7b1be9256a9ef898f18ea6bfb63f6f1e • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-22202 – User Removal Page Allows Spoofing Of User Details
https://notcve.org/view.php?id=CVE-2024-22202
05 Feb 2024 — phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account. The front-end of this page doesn't allow changing the form details, an attacker can utilize a proxy to intercept this request and submit other data. Upon submitting this form, an email is sent to the administrator informing them that this user want... • https://github.com/thorsten/phpMyFAQ/commit/1348dcecdaec5a5714ad567c16429432417b534d • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6890 – Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq
https://notcve.org/view.php?id=CVE-2023-6890
16 Dec 2023 — Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17. Cross-site Scripting (XSS): almacenadas en el repositorio de GitHub thorsten/phpmyfaq antes de la versión 3.1.17. • https://github.com/thorsten/phpmyfaq/commit/97d90ebbe11ebc6081bf49a2ba4b60f227cd1b43 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6889 – Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq
https://notcve.org/view.php?id=CVE-2023-6889
16 Dec 2023 — Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17. Cross-site Scripting (XSS): almacenadas en el repositorio de GitHub thorsten/phpmyfaq antes de la versión 3.1.17. • https://github.com/thorsten/phpmyfaq/commit/1037a8f012e0d9ec4bf4c8107972f6695e381392 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5866 – Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in thorsten/phpmyfaq
https://notcve.org/view.php?id=CVE-2023-5866
31 Oct 2023 — Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1. Cookie confidencial en sesión HTTPS sin atributo "seguro" en el repositorio de GitHub thorsten/phpmyfaq anterior a 3.2.1. • https://github.com/thorsten/phpmyfaq/commit/fdacff14acd5e69841068f0e32b59e2d1b1d0d55 • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5867 – Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq
https://notcve.org/view.php?id=CVE-2023-5867
31 Oct 2023 — Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Cross-site Scripting (XSS): almacenadas en el repositorio de GitHub thorsten/phpmyfaq antes de 3.2.2. • https://github.com/thorsten/phpmyfaq/commit/5310cb8c37dc3a5c5aead0898690b14705c433d3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5865 – Insufficient Session Expiration in thorsten/phpmyfaq
https://notcve.org/view.php?id=CVE-2023-5865
31 Oct 2023 — Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Caducidad de sesión insuficiente en el repositorio de GitHub thorsten/phpmyfaq anterior a 3.2.2. • https://github.com/thorsten/phpmyfaq/commit/5f43786f52c3d517e7665abd25d534e180e08dc5 • CWE-613: Insufficient Session Expiration •