SB2024121368 - Spoofing attack in phpMyFAQ
Published: December 13, 2024 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Spoofing attack (CVE-ID: CVE-2024-55889)
CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to trigger unintended file downloads on a victim's machine.
The vulnerability exists due to user interface misrepresentation of critical information in the FAQ Record component when rendering embedded frames in FAQ content. A remote privileged user can embed an iframe referencing an uploaded attachment to trigger unintended file downloads on a victim's machine.
On the edit screen, the download is triggered without user interaction; on the public FAQ page, browser behavior may vary and some browsers may present a confirmation prompt.
Remediation
Install update from vendor's website.