Lucene search

[email protected]CVE-2024-22202

HistoryFeb 05, 2024 - 8:15 p.m.

CVE-2024-22202

2024-02-0520:15:55

CWE-284

[email protected]

web.nvd.nist.gov

phpmyfaq

faq

web application

php

mysql

postgresql

security

vulnerability

cve-2024-22202

user spoofing

phishing

account removal

patch

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.1%

JSON

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. phpMyFAQ’s user removal page allows an attacker to spoof another user’s detail, and in turn make a compelling phishing case for removing another user’s account. The front-end of this page doesn’t allow changing the form details, an attacker can utilize a proxy to intercept this request and submit other data. Upon submitting this form, an email is sent to the administrator informing them that this user wants to delete their account. An administrator has no way of telling the difference between the actual user wishing to delete their account or the attacker issuing this for an account they do not control. This issue has been patched in version 3.2.5.

Affected configurations

Vulners

NVD

Node

thorstenphpmyfaqRange<3.2.5

CPENameOperatorVersion
phpmyfaq:phpmyfaqphpmyfaqlt3.2.5

CPE	Name	Operator	Version
phpmyfaq:phpmyfaq	phpmyfaq	lt	3.2.5

CNA Affected

[
  {
    "vendor": "thorsten",
    "product": "phpMyFAQ",
    "versions": [
      {
        "version": "< 3.2.5",
        "status": "affected"
      }
    ]
  }
]