CVE-2014-6047

phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to read arbitrary attachments by leveraging incorrect "download an attachment" permission checks...

CVE-2014-6049

CVE-2014-6049 affects phpMyFAQ prior to version 2.8.13, where remote authenticated users with admin privileges can bypass authorization by manipulating a crafted instance ID parameter. The root cause involves improper handling of the instance ID, enabling privilege escalation: an admin user could...

CVE-2014-6048

The CVE-2014-6048 flaw affects phpMyFAQ before version 2.8.13, where an attacker can read arbitrary attachments via a direct request due to a missing check on whether an attachment is being requested. Public references describe unauthenticated read access and verify the core issue as improper acc...

CVE-2014-6046

Multiple cross-site request forgery CSRF vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that 1 delete active users by leveraging improper validation of CSRF tokens or that 2 delete open questions, 3 activate users, 4...

CVE-2014-6049

phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter...

CVE-2014-6050

phpMyFAQ before 2.8.13 allows remote attackers to bypass the CAPTCHA protection mechanism by replaying the request...

CVE-2014-6046

CVE-2014-6046 affects phpMyFAQ prior to 2.8.13. The root cause is lack of CSRF token validation, enabling CSRF to perform actions such as deleting active users, deleting/opening questions, activating users, publishing FAQs, managing Glossary/FAQ news, and adding/deleting comments or votes. The im...

CVE-2014-6047

CVE-2014-6047 affects phpMyFAQ prior to 2.8.13. The vulnerability exists in the download attachments path (phpmyfaq/attachment.php) due to incorrect permission checks, enabling remote authenticated users with some rights (e.g., add/delete attachments) to read arbitrary attachments they should not...

CVE-2014-6050

CVE-2014-6050 affects phpMyFAQ prior to 2.8.13 and allows remote attackers to bypass CAPTCHA protection by replaying the request. NVD describes CAPTCHA bypass; Veracode notes bypass of form protections via replay. Documented impact is bypass of CAPTCHA on forms; no remediation details are provide...

CVE-2014-6045

CVE-2014-6045 pertains to the PHPMyFAQ package, where versions before 2.8.13 are affected by an SQL injection vulnerability. The issue enables remote authenticated users with certain permissions to execute arbitrary SQL commands via vectors involving the restore function. The root cause is improp...

CVE-2014-6048

phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request...

CVE-2014-6045

SQL injection vulnerability in phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via vectors involving the restore function...

phpMyFAQ 2.9.9 Code Injection

Exploit Title: PHPMYFAQ 2.9.9 Code Injection Google Dork: NA Date: Nov 6 2017 Exploit Author: tomplixsee Author blog : cupuzone.wordpress.com Vendor Homepage: http://www.phpmyfaq.de Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip Version: 2.9.9 Tested on: Ubuntu Server 16.04, PHP...

phpMyFAQ 2.9.8 - Cross-Site Request Forgery Vulnerability

Exploit for php platform in category web applications Exploit Title: phpMyFAQ 2.9.8 CSRF Vulnerability Exploit Author: Nikhil Mittal Payatu Labs Vendor Homepage: http://www.phpmyfaq.de/ Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip Version: 2.9.8 Tested on: MAC OS CVE : 2017-15730...

PHPMyFAQ 2.9.8 - Cross-Site Scripting (3)

PHPMyFAQ 2.9.8 - Cross-Site Scripting 3 Exploit Title: phpMyFAQ 2.9.8 Stored XSS Vulnerability Date: 28-9-2017 Exploit Author: Nikhil Mittal Payatu Labs Vendor Homepage: http://www.phpmyfaq.de/ Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip Version: 2.9.8 Tested on: MAC OS CVE :...

PHPMyFAQ 2.9.8 - Cross-Site Scripting (3)

Exploit Title: phpMyFAQ 2.9.8 Stored XSS Vulnerability Date: 28-9-2017 Exploit Author: Nikhil Mittal Payatu Labs Vendor Homepage: http://www.phpmyfaq.de/ Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip Version: 2.9.8 Tested on: MAC OS CVE : 2017-15727 1. Description In phpMyFAQ befo...

phpMyFAQ 2.9.8 - Cross-Site Request Forgery

Exploit Title: phpMyFAQ 2.9.8 CSRF Vulnerability Date: 27-9-2017 Exploit Author: Nikhil Mittal Payatu Labs Vendor Homepage: http://www.phpmyfaq.de/ Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip Version: 2.9.8 Tested on: MAC OS CVE : 2017-15730 1. Description In phpMyFAQ before...

phpMyFAQ 2.9.8 - Cross-Site Request Forgery

phpMyFAQ 2.9.8 - Cross-Site Request Forgery Exploit Title: phpMyFAQ 2.9.8 CSRF Vulnerability Date: 27-9-2017 Exploit Author: Nikhil Mittal Payatu Labs Vendor Homepage: http://www.phpmyfaq.de/ Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip Version: 2.9.8 Tested on: MAC OS CVE :...

Cross-site Scripting (XSS)

phpmyfaq is vulnerable to cross-site scripting XSS attacks. The library does not sanitize the tags in the phpmyfaq/admin/tags.main.php file, allowing a malicious user to inject and execute arbitrary web script...

Cross-site Request Forgery (CSRF)

phpmyfaq is vulnerable to cross-site request forgery CSRF. The library fails to implement any CSRF protection in the phpmyfaq/admin/ajax.config.php file, allowing a malicious user to send a request to create or delete a phpmyfaq instance...