Thorsten Rinne

100 exploits Active since Apr 2017
CVE-2023-5227 WRITEUP CRITICAL WRITEUP
phpmyfaq < 3.1.8 - Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8.
CVSS 9.8
CVE-2023-5316 WRITEUP MEDIUM WRITEUP
phpmyfaq < 3.1.18 - DOM-based Cross-Site Scripting
Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
CVSS 6.1
CVE-2023-5317 WRITEUP MEDIUM WRITEUP
phpmyfaq < 3.1.18 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
CVSS 5.4
CVE-2023-5319 WRITEUP MEDIUM WRITEUP
phpmyfaq < 3.1.18 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
CVSS 5.4
CVE-2023-5320 WRITEUP MEDIUM WRITEUP
phpmyfaq < 3.1.18 - DOM-based Cross-Site Scripting
Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
CVSS 6.1
CVE-2023-5863 WRITEUP MEDIUM WRITEUP
phpmyfaq < 3.2.2 - Cross-Site Scripting
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
CVSS 6.1
CVE-2023-5864 WRITEUP MEDIUM WRITEUP
phpmyfaq < 3.2.1 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.1.
CVSS 4.8
CVE-2023-5865 WRITEUP CRITICAL WRITEUP
phpmyfaq < 3.2.2 - Insufficient Session Expiration
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
CVSS 9.8
CVE-2023-5866 WRITEUP MEDIUM WRITEUP
thorsten/phpmyfaq <3.2.1 - Info Disclosure
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1.
CVSS 5.7
CVE-2023-5867 WRITEUP MEDIUM WRITEUP
phpmyfaq < 3.2.2 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
CVSS 5.4
CVE-2023-6889 WRITEUP MEDIUM WRITEUP
phpmyfaq < 3.1.17 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17.
CVSS 5.4
CVE-2023-6890 WRITEUP MEDIUM WRITEUP
phpmyfaq < 3.1.17 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17.
CVSS 5.4
CVE-2024-22202 WRITEUP MEDIUM WRITEUP
phpMyFAQ < 3.2.5 - Improper Access Control via User Removal Request Spoofing
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account. The front-end of this page doesn't allow changing the form details, an attacker can utilize a proxy to intercept this request and submit other data. Upon submitting this form, an email is sent to the administrator informing them that this user wants to delete their account. An administrator has no way of telling the difference between the actual user wishing to delete their account or the attacker issuing this for an account they do not control. This issue has been patched in version 3.2.5.
CVSS 5.7
CVE-2024-22208 WRITEUP MEDIUM WRITEUP
phpMyFAQ < 3.2.5 - Unauthenticated Email Spam via FAQ Sharing Functionality
phpMyFAQ is an Open Source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. The phpMyFAQ application has a functionality where anyone can share a FAQ item to others. The front-end of this functionality allows any phpMyFAQ articles to be shared with 5 email addresses. Any unauthenticated actor can perform this action. There is a CAPTCHA in place, however the amount of people you email with a single request is not limited to 5 by the backend. An attacker can thus solve a single CAPTCHA and send thousands of emails at once. An attacker can utilize the target application's email server to send phishing messages. This can get the server on a blacklist, causing all emails to end up in spam. It can also lead to reputation damages. This issue has been patched in version 3.2.5.
CVSS 6.5
CVE-2024-27299 WRITEUP HIGH WRITEUP
phpmyfaq 3.2.5 - Authenticated SQL Injection via News Author Email Field
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. A SQL injection vulnerability has been discovered in the the "Add News" functionality due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. The vulnerable field lies in the `authorEmail` field which uses PHP's `FILTER_VALIDATE_EMAIL` filter. This filter is insufficient in protecting against SQL injection attacks and should still be properly escaped. However, in this version of phpMyFAQ (3.2.5), this field is not escaped properly can be used together with other fields to fully exploit the SQL injection vulnerability. This vulnerability is fixed in 3.2.6.
CVSS 8.8
CVE-2024-27300 WRITEUP MEDIUM WRITEUP
phpMyFAQ >=3.2.5 <3.2.6 - Stored Cross-Site Scripting via Email Field
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The `email` field in phpMyFAQ's user control panel page is vulnerable to stored XSS attacks due to the inadequacy of PHP's `FILTER_VALIDATE_EMAIL` function, which only validates the email format, not its content. This vulnerability enables an attacker to execute arbitrary client-side JavaScript within the context of another user's phpMyFAQ session. This vulnerability is fixed in 3.2.6.
CVSS 5.5
CVE-2024-28105 WRITEUP HIGH WRITEUP
phpmyfaq >=3.2.5 <3.2.6 - Unrestricted Upload of File with Dangerous Type via Category Image Upload
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The category image upload function in phpmyfaq is vulnerable to manipulation of the `Content-type` and `lang` parameters, allowing attackers to upload malicious files with a .php extension, potentially leading to remote code execution (RCE) on the system. This vulnerability is fixed in 3.2.6.
CVSS 7.2
CVE-2024-28106 WRITEUP MEDIUM WRITEUP
phpmyfaq 3.2.5 - Stored Cross-Site Scripting via News Parameter
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. This vulnerability is fixed in 3.2.6.
CVSS 4.3
CVE-2024-28107 WRITEUP HIGH WRITEUP
phpMyFAQ >=3.2.5 <3.2.6 - Authenticated SQL Injection via Email Address Parameter
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. A SQL injection vulnerability has been discovered in the `insertentry` & `saveentry` when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. This vulnerability is fixed in 3.2.6.
CVSS 8.8
CVE-2024-28108 WRITEUP MEDIUM WRITEUP
phpmyfaq 3.2.5 - Unauthenticated Stored Cross-Site Scripting via ContentLink Parameter
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. _Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ._ This vulnerability is fixed in 3.2.6.
CVSS 4.7
CVE-2024-29196 WRITEUP LOW WRITEUP
phpMyFAQ 3.2.5 - Authenticated Path Traversal via Attachment Upload
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. There is a Path Traversal vulnerability in Attachments that allows attackers with admin rights to upload malicious files to other locations of the web root. This vulnerability is fixed in 3.2.6.
CVSS 3.8
CVE-2024-54141 WRITEUP HIGH WRITEUP
phpMyFAQ < 4.0.0 - Sensitive Information Exposure via Database Connection Error
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0.
CVSS 8.6
CVE-2025-59943 WRITEUP HIGH WRITEUP
phpMyFAQ < 4.0.13 - Improper Access Control via Duplicate Email Registration
phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover. This issue is fixed in version 4.0.13.
CVSS 8.1
CVE-2025-68951 WRITEUP MEDIUM WRITEUP
phpMyFAQ 4.0.14-4.0.15 - Stored Cross-Site Scripting via User Display Name
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. Version 4.0.16 contains a patch for the issue.
CVSS 5.4
CVE-2025-69200 WRITEUP HIGH WRITEUP
phpMyFAQ < 4.0.16 - Unauthenticated Sensitive Information Exposure via Backup API
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue.
CVSS 7.5