Lucene search
Isdkrisna2F1E417D-CF64-4CFB-954B-3A9CB2F38191HistoryFeb 13, 2023 - 4:47 a.m.
Broken access control - Someone still can comment in unactive FAQ NEWS
2023-02-1304:47:33
isdkrisna
www.huntr.dev
6
broken access control
inactive access
comment feature
0.001 Low
EPSS
Percentile
36.2%
Description
when a NEWS FAQ turns on the comments feature and disables post like this settings.
Screenshot >> https://imgur.com/a/9UY4QRf
if you create a FAQ news with those settings and view the post, you will notice that the comment section is disabled
Screenshot >> https://imgur.com/a/rY6zJt9
Proof of Concept
1.Open 2 Tab on your Browser
2.Tab A Visit some FAQ NEWS Then Fill All comment form
3.Tab B Open https://roy.demo.phpmyfaq.de/admin/?action=edit-news&id=1 (Link edit of A FAQ NEWS)
4.Tab B uncheck Activate and click edit news
5.Tab A send commend
Related
cve
cve
CVE-2023-1883
2023-04-05 17:15:07
nvd
nvd
CVE-2023-1883
2023-04-05 17:15:07
prion
prion
Improper access control
2023-04-05 17:15:00
github
github
thorsten/phpmyfaq vulnerable to improper access control
2023-04-05 18:30:18
veracode
veracode
Improper Access Control
2023-04-20 16:16:42
osv
osv
thorsten/phpmyfaq vulnerable to improper access control
2023-04-05 18:30:18
CVE-2023-1883
2023-04-05 17:15:07
cvelist
cvelist
CVE-2023-1883 Improper Access Control in thorsten/phpmyfaq
2023-04-05 00:00:00
openvas
openvas
phpMyFAQ < 3.1.12 Multiple Vulnerabilities
2023-04-04 00:00:00