CVE-2014-6048

MEDIUM

phpmyfaq < 2.8.13 - Unauthenticated Arbitrary Attachment Read

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-6048.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in phpMyFAQ 2.8.x, including persistent XSS via unfiltered User-Agent and Referer headers, unauthenticated FAQ data disclosure, and CSRF attacks for user credential manipulation and configuration changes.

Description

phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request.

Exploits (1)

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/34580

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in phpMyFAQ 2.8.x, including persistent XSS via unfiltered User-Agent and Referer headers, unauthenticated FAQ data disclosure, and CSRF attacks for user credential manipulation and configuration changes.

Classification

Working Poc 95%

Attack Type

Xss | Info Leak | Auth Bypass | Other

Complexity

Trivial

Reliability

Reliable

Target: phpMyFAQ 2.8.x

No auth needed

Prerequisites: Access to the target phpMyFAQ instance · Ability to send crafted HTTP requests

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

http://techdefencelabs.com/security-advisories.html

Vendor Advisory x_refsource_confirm

https://www.phpmyfaq.de/security/advisory-2014-09-16

Scores

CVSS v3 5.3

EPSS 0.0568

EPSS Percentile 92.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-200

Status published

Products (1)

phpmyfaq/phpmyfaq < 2.8.13

Published Aug 28, 2018

Tracked Since Feb 18, 2026