Vulners
Lucene search
๐ phpMyFAQ 3.2.10 Unintended File Download
๐๏ธย 16 Apr 2025ย 00:00:00Reported byย George ChenTypeย 
ย packetstorm๐ย packetstorm.news๐ย 258ย Views
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | CVE-2024-55889 | 13 Dec 202413:48 | โ | circl |
 | phpMyFAQ ๅฎๅ จๆผๆด | 13 Dec 202400:00 | โ | cnnvd |
 | CVE-2024-55889 | 13 Dec 202413:44 | โ | cve |
 | CVE-2024-55889 phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames | 13 Dec 202413:44 | โ | cvelist |
 | phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames | 16 Apr 202500:00 | โ | exploitdb |
 | EUVD-2024-3486 | 3 Oct 202520:07 | โ | euvd |
 | thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames | 13 Dec 202420:36 | โ | github |
 | CVE-2024-55889 | 13 Dec 202414:15 | โ | nvd |
 | CVE-2024-55889 phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames | 13 Dec 202413:44 | โ | osv |
| GHSA-M3R7-8GW7-QWVC thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames | 13 Dec 202420:36 | โ | osv |
10
# Exploit Title: phpMyFAQ v3.2.10 - Unintended File Download Triggered by Embedded Frames
# Date: 13 Dec 2024
# Exploit Author: George Chen
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ/
# Software Link: https://github.com/thorsten/phpMyFAQ/
# Version: v3.2.10
# Tested on: Mac, Win
# CVE : CVE-2024โ55889
*Summary*
A vulnerability exists in the FAQ Record component of
https://github.com/thorsten/phpMyFAQ v3.2.10 where a privileged attacker
can trigger a file download on a victimโs machine upon page visit by
embedding it in an <iframe> element without user interaction or explicit
consent.
*Details*
In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a
FAQ record is either created or edited, an attacker can insert an iframe,
as โsource codeโ, pointing to a prior โmaliciousโ attachment that the
attacker has uploaded via FAQ โnew attachmentโ upload, such that any page
visits to this FAQ will trigger an automated download (from the edit
screen, download is automated; from the faq page view as a normal user,
depending on the browser, a pop up confirmation may be presented before the
actual download. Firebox browser, for instance, does not require any
interactions).
[image: image.png]
*PoC*
1. create a new FAQ record and upload a โmaliciousโ file โ in my case, I
uploaded an eicar file. Take note of the uri, ie
โindex.php?action=attachment&id=2โ
2. in the FAQ record, insert a โsource codeโ blob using the โ< >โ button
3. insert in the following snippet and save FAQ record:
<p><iframe src="index.php?action=attachment&id=2"></iframe></p> [image:
image.png]
4. Once the edit page reloads, the malicious code will be downloaded
onto the local machine without user interaction:[image: image.png]
Advisory:
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc
Disclosure: https://geochen.medium.com/cve-2024-55889-03572ae6c35cData
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Apr 2025 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.14.9 - 7.2
EPSS0.09192
SSVC