Lucene search

Veracode Vulnerability DatabaseVERACODE:45369

HistoryFeb 06, 2024 - 10:43 a.m.

Account Spoofing

2024-02-0610:43:06

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

phpmyfaq

vulnerability

user removal

account spoofing

backend validation

form manipulation

admin tricking

proxy interception

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.2%

JSON

phpMyFAQ is vulnerable to User Account Spoofing. The vulnerability is due to the user removal page lacking backend validation, allowing an attacker to manipulate form details by intercepting the request via a proxy, which can allow an attacker to trick an admin into removing the account.

CPENameOperatorVersion
phpmyfaq/phpmyfaqle3.2.4
phpmyfaq/phpmyfaqle3.2.4

CPE	Name	Operator	Version
	phpmyfaq/phpmyfaq	le	3.2.4
	phpmyfaq/phpmyfaq	le	3.2.4

References

github.com/thorsten/phpMyFAQ/commit/1348dcecdaec5a5714ad567c16429432417b534d

github.com/thorsten/phpMyFAQ/security/advisories/GHSA-6648-6g96-mg35

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.2%

JSON

Related for VERACODE:45369