Lucene search

GitHub_MCVE-2024-22202

HistoryFeb 05, 2024 - 8:15 p.m.

CVE-2024-22202

2024-02-0520:15:55

CWE-284

GitHub_M

web.nvd.nist.gov

phpmyfaq

faq

web application

php

mysql

postgresql

security

vulnerability

cve-2024-22202

user spoofing

phishing

account removal

patch

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

16.0%

JSON

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. phpMyFAQ’s user removal page allows an attacker to spoof another user’s detail, and in turn make a compelling phishing case for removing another user’s account. The front-end of this page doesn’t allow changing the form details, an attacker can utilize a proxy to intercept this request and submit other data. Upon submitting this form, an email is sent to the administrator informing them that this user wants to delete their account. An administrator has no way of telling the difference between the actual user wishing to delete their account or the attacker issuing this for an account they do not control. This issue has been patched in version 3.2.5.

Affected configurations

Nvd

Vulners

Node

phpmyfaqphpmyfaqRange<3.2.5

VendorProductVersionCPE
phpmyfaqphpmyfaq*cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
phpmyfaq	phpmyfaq	*	cpe:2.3:a:phpmyfaq:phpmyfaq::::::::

CNA Affected

[
  {
    "vendor": "thorsten",
    "product": "phpMyFAQ",
    "versions": [
      {
        "version": "< 3.2.5",
        "status": "affected"
      }
    ]
  }
]