CVE-2023-53929

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...

CVE-2023-53929 phpMyFAQ 3.1.12 CSV Injection via User Profile Export

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...

CVE-2023-53929 phpMyFAQ 3.1.12 CSV Injection via User Profile Export

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...

CVE-2023-53929

Summary: CVE-2023-53929 affects phpMyFAQ 3.1.12. The vulnerability arises in the user data export workflow: an authenticated user can place CSV-injection payloads (e.g., calc|a!z|) in their profile name, which can trigger code execution when an administrator exports user data as CSV. Affected sof...

phpMyFAQ 安全漏洞

phpMyFAQ is a multilingual, fully database-driven FAQ system by the individual developer Thorsten Rinne. A security vulnerability exists in phpMyFAQ version 3.1.12, which stems from the ability of authenticated users to inject malicious formulas into their profile names, potentially leading to CS...

PT-2025-51967

Name of the Vulnerable Software and Affected Versions phpMyFAQ version 3.1.12 Description The software contains a CSV injection flaw that permits authenticated users to inject malicious formulas into their profile names. An attacker can modify their user profile name with a payload such as...

SQL Injection

phpMyFAQ is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of inputs in the main configuration update functionality, which allows a privileged attacker with configuration edit permissions to execute arbitrary SQL commands and compromise the database...

📄 phpMyFAQ 2.9.8 Cross Site Request Forgery

phpMyFAQ version 2.9.8 suffers from multiple cross site request forgery vulnerabilities. These are proof of concepts from issues stemming back in 2017. Exploit Title: phpMyFAQ 2.9.8 Cross-Site Request Forgery CSRF Date: 2024-10-26 Exploit Author: CodeSecLab Vendor Homepage:...

phpMyFAQ 2.9.8 - Cross-Site Request Forgery(CSRF)

Exploit Title: phpMyFAQ 2.9.8 - Cross-Site Request ForgeryCSRF Date: 2024-10-26 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/thorsten/phpMyFAQ Software Link: https://github.com/thorsten/phpMyFAQ Version: 2.9.8 Tested on: Ubuntu Windows CVE : CVE-2017-15734 PoC: Get...

📄 phpMyFAQ 3.1.7 Cross Site Scripting

phpMyFAQ version 3.1.7 suffers from a cross site scripting vulnerability. This one is similar to the finding posted in April of this year but is an older issue identified in 2022. Exploit Title: phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting XSS Date: 2025-11-25 Exploit Author: CodeSecLab Vendor...

phpMyFAQ 2.9.8 - Cross-Site Request Forgery (CSRF)

Exploit Title: phpMyFAQ 2.9.8 Cross-Site Request Forgery CSRF Date: 2024-10-26 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/thorsten/phpMyFAQ Software Link: https://github.com/thorsten/phpMyFAQ Version: 2.9.8 Tested on: Ubuntu Windows CVE : CVE-2017-15735 PoC: While still logged...

phpMyFaq 2.9.8 - Cross Site Request Forgery (CSRF)

Exploit Title: phpMyFaq 2.9.8 - Cross Site Request Forgery CSRF Date: 2025-11-25 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/thorsten/phpMyFAQ/ Software Link: https://github.com/thorsten/phpMyFAQ/ Version: 2.9.8 Tested on: Windows 10 CVE : CVE-2017-15808 PoC:...

phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)

Exploit Title: phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting XSS Date: 2025-11-25 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/thorsten/phpmyfaq/ Software Link: https://github.com/thorsten/phpmyfaq/ Version: 3.1.7 Tested on: Windows CVE : CVE-2022-3766 Proof Of Concept GET...

Improper Input Validation

thorsten/phpmyfaq is vulnerable to improper input validation. The vulnerability is due to the application's failure to enforce unique email addresses during registration, which allows an attacker to create multiple accounts with the same email and potentially exploit this for account ambiguity,...

CVE-2025-62519

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitatio...

phpMyFAQ < 4.0.14 SQLi Vulnerability (GHSA-fxm2-cmwj-qvx4)

phpMyFAQ is prone to an SQL injection SQLi vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:phpmyfaq:phpmyfaq"; if...

SQL Injection

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to SQL Injection in the update method in Configuration.php. A user with 'Configuration Edit' permissions can execute arbitrary SQL commands by submitting...

phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality

Summary An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ v4.0.13 and prior allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database...

GHSA-FXM2-CMWJ-QVX4 phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality

Summary An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ v4.0.13 and prior allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database...

CVE-2025-62519

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitatio...