phpMyFAQ Cross-Site Request Forgery Vulnerability (CNVD-2018-17637)

phpMyFAQ is phpMyFAQ team developed a set of open source fully database-driven FAQ question and answer system . The system supports multiple languages, multiple databases, etc., and includes modules such as content management system and community. A cross-site request forgery vulnerability exists...

phpMyFAQ SQL Injection Vulnerability (CNVD-2018-16949)

phpMyFAQ is phpMyFAQ team developed a set of open source fully database-driven FAQ question and answer system . The system supports multiple languages, multiple databases, etc., and includes modules such as content management system and community. A SQL injection vulnerability exists in versions...

Unauthenticated Read Access

phpMyFAQ/phpMyFAQ is vulnerable to unauthenticated read access. The vulnerability exists as there was a lack of check on whether an attachment was being requested and read by an unauthenticated user...

Authorization Bypass

phpmyfaq/phpmyfaq is vulnerable to authorization bypasses. The library does not properly handle the instance ID, allowing a malicious user with admin rights to delete a multi-site master instance...

SQL Injection

phpMyFAQ/phpMyFAQ is vulnerable to SQL Injections. The library does not properly escape parameters in the SQL query executed by the restore function, allowing malicious users to inject and execute arbitrary SQL queries...

Bypass Protection Mechanism

phpMyFAQ/phpMyFAQ is vulnerable to bypassing protection mechanism. Due to the flaw in Captcha implementation, an attacker can bypass the Captcha protections on forms by replaying the request...

Cross Site Request Forgery (CSRF)

phpMyFAQ/phpMyFAQ is vulnerable to cross-site request forgery CSRF. The vulnerability exists because it does not check CSRF token properly in user.php, allowing the attacker to delete any active user, to remove open questions, to manipulate FAQ and FAQ news, to add votes and to add or delete...

Authorization Bypass

phpMyFAQ/phpMyFAQ is affected by an authorization bypass. A remote authenticated user, with the privileges Right to add attachments and Right to delete attachments but without the privilege Right to download the attachments, is able to download and read arbitrary attachments due to incorrect...

CVE-2014-6047

phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to read arbitrary attachments by leveraging incorrect "download an attachment" permission checks...

CVE-2014-6050

phpMyFAQ before 2.8.13 allows remote attackers to bypass the CAPTCHA protection mechanism by replaying the request...

CVE-2014-6049

phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter...

CVE-2014-6048

phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request...

Cross site request forgery (csrf)

phpMyFAQ before 2.8.13 allows remote attackers to bypass the CAPTCHA protection mechanism by replaying the request...

Design/Logic Flaw

phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to read arbitrary attachments by leveraging incorrect "download an attachment" permission checks...

Authorization

phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter...

Server side request forgery (ssrf)

phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request...

CVE-2014-6045

SQL injection vulnerability in phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via vectors involving the restore function...

Sql injection

SQL injection vulnerability in phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via vectors involving the restore function...

Cross site request forgery (csrf)

Multiple cross-site request forgery CSRF vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that 1 delete active users by leveraging improper validation of CSRF tokens or that 2 delete open questions, 3 activate users, 4...

CVE-2014-6046

Multiple cross-site request forgery CSRF vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that 1 delete active users by leveraging improper validation of CSRF tokens or that 2 delete open questions, 3 activate users, 4...