1756 matches found
CVE-2025-68951
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting XSS vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an...
CVE-2025-69200
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive...
CVE-2025-69200 phpMyFAQ has unauthenticated config backup download via /api/setup/backup
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive...
CVE-2025-69200 phpMyFAQ has unauthenticated config backup download via /api/setup/backup
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive...
CVE-2025-69200 phpMyFAQ has unauthenticated config backup download via /api/setup/backup
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive...
CVE-2025-69200
Summary: phpMyFAQ
CVE-2025-68951 phpMyFAQ has stored XSS in admin "List of users" via display_name HTML entity decoding (html_entity_decode) + Twig |raw
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting XSS vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an...
CVE-2025-68951 phpMyFAQ has stored XSS in admin "List of users" via display_name HTML entity decoding (html_entity_decode) + Twig |raw
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting XSS vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an...
CVE-2025-68951 phpMyFAQ has stored XSS in admin "List of users" via display_name HTML entity decoding (html_entity_decode) + Twig |raw
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting XSS vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an...
CVE-2025-68951
CVE-2025-68951 affects phpMyFAQ. Versions 4.0.14 and 4.0.15 contain a stored XSS vulnerability where an attacker’s HTML entities in a display_name are decoded server-side and rendered unescaped in the admin user list (Twig |raw), enabling script execution in an administrator’s context. A patch ex...
CVE-2025-68951
creationtimestamp| type| source ---|---|--- 2025-12-29 10:11:32+00:00| published-proof-of-concept| https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc...
PT-2025-53729
Name of the Vulnerable Software and Affected Versions phpMyFAQ versions 4.0.14 through 4.0.15 Description phpMyFAQ is a web application for creating FAQs. Versions 4.0.14 and 4.0.15 contain a stored cross-site scripting XSS issue. An attacker can inject and execute arbitrary JavaScript code in an...
phpMyFAQ 安全漏洞
phpMyFAQ is a multilingual, fully database-driven FAQ system by the individual developer Thorsten Rinne. A security vulnerability exists in phpMyFAQ versions prior to 4.0.16, which originates from an unauthenticated attacker who can trigger the generation of configuration backups, potentially...
phpMyFAQ 跨站脚本漏洞
phpMyFAQ is a multilingual, fully database-driven FAQ system by the individual developer Thorsten Rinne. A cross-site scripting vulnerability exists in phpMyFAQ versions 4.0.14 and 4.0.15, which stems from server-side decoding without escaping, and could lead to a stored cross-site scripting atta...
PT-2025-53730
Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.0.16 Description An unauthenticated remote attacker can trigger the generation of a configuration backup ZIP file via the /api/setup/backup API endpoint. The generated ZIP file, accessible via the web, contains...
CVE-2023-53929
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...
EUVD-2023-60202
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...
phpMyFAQ contains a CSV injection vulnerability
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...
CSV Injection
Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to CSV Injection via the users data export feature. An attacker can execute arbitrary commands on the system by injecting malicious formulas into the profi...
CVE-2023-53929
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...