nvd,anchore_overrides
Phpmyfaq
Vulnerabilities
141
Known exploited
0
Critical
13
High
32
Top products
Top vulnerabilities
CVE-2025-59943phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover. This issue is fixed in version 4.0.13.
CVE-2023-5865Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
CVE-2023-5227Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8.
CVE-2023-4006Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16.
CVE-2023-2429Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.13.
CVE-2023-1886Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVE-2023-1753Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVE-2023-0789Command Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2023-0788Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2023-0311Improper Authentication in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
CVE-2023-0307Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
CVE-2022-3754Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8.
CVE-2017-11187phpMyFAQ before 2.9.8 does not properly mitigate brute-force attacks that try many passwords in attempted logins quickly.
CVE-2024-28107phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. A SQL injection vulnerability has been discovered in the `insertentry` & `saveentry` when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. This vulnerability is fixed in 3.2.6.
CVE-2024-27299phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. A SQL injection vulnerability has been discovered in the the "Add News" functionality due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. The vulnerable field lies in the `authorEmail` field which uses PHP's `FILTER_VALIDATE_EMAIL` filter. This filter is insufficient in protecting against SQL injection attacks and should still be properly escaped. However, in this version of phpMyFAQ (3.2.5), this field is not escaped properly can be used together with other fields to fully exploit the SQL injection vulnerability. This vulnerability is fixed in 3.2.6.
CVE-2023-1762Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVE-2023-0793Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2023-0790Uncaught Exception in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2018-16650phpMyFAQ before 2.9.11 allows CSRF.
CVE-2017-15808In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php.
CVE-2017-15735In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary.
CVE-2017-15734In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php.
CVE-2017-15733In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/ajax.attachment.php and admin/att.main.php.
CVE-2017-15732In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/news.php.
CVE-2017-15731In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.adminlog.php.