CVE-2024-22202

MEDIUM

phpMyFAQ - CSRF

Title source: llm

Description

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account. The front-end of this page doesn't allow changing the form details, an attacker can utilize a proxy to intercept this request and submit other data. Upon submitting this form, an email is sent to the administrator informing them that this user wants to delete their account. An administrator has no way of telling the difference between the actual user wishing to delete their account or the attacker issuing this for an account they do not control. This issue has been patched in version 3.2.5.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-6648-6g96-mg35

Patch x_refsource_misc

https://github.com/thorsten/phpMyFAQ/commit/1348dcecdaec5a5714ad567c16429432417b534d

View Patch ZIP pw:eip

Scores

CVSS v3 5.7

EPSS 0.0029

EPSS Percentile 52.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (2)

phpmyfaq/phpmyfaq < 3.2.5

phpmyfaq/phpmyfaq 0 - 3.2.5Packagist

Published Feb 05, 2024

Tracked Since Feb 18, 2026