SB20260505101 - Multiple vulnerabilities in phpMyFAQ

Security Bulletin ID SB20260505101

CSH Severity

High

Patch available

YES

Number of vulnerabilities 13

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 13 vulnerabilities.

1) SQL injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() when handling unauthenticated GET requests to the public /api/captcha endpoint with a crafted User-Agent header. A remote attacker can send a specially crafted request with a malicious User-Agent header to execute arbitrary SQL commands.

The issue is reachable without authentication or user interaction, and the injected input reaches both a DELETE query and an INSERT query.

2) Path traversal (CVE-ID: N/A)

The vulnerability allows a remote user to delete arbitrary directories.

The vulnerability exists due to path traversal in Client::deleteClientFolder() when handling a user-supplied client URL. A remote privileged user can submit a specially crafted URL containing traversal sequences to delete arbitrary directories.

Exploitation requires the multisite subsystem to be bootstrapped with at least one non-primary instance present.

3) Incorrect authorization (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the getIdFromSolutionId() and getFaqBySolutionId() fallback query in phpmyfaq/src/phpMyFAQ/Faq.php when handling requests to solution ID lookups. A remote attacker can send requests with sequential solution IDs to disclose sensitive information.

The issue can reveal the existence of restricted FAQ entries and metadata including internal id, language, category binding, and title through redirect locations and related page metadata, even when body rendering is denied by a separate permission check.

4) SQL injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in CurrentUser::setTokenData() in phpmyfaq/src/phpMyFAQ/User/CurrentUser.php when processing OAuth token fields from the Azure AD authentication flow. A remote attacker can supply crafted token claim data to execute arbitrary SQL commands.

User interaction is required to complete the OAuth login flow, and exploitation requires Azure AD authentication to be enabled.

5) Improper Restriction of Excessive Authentication Attempts (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass two-factor authentication and gain full administrative access.

The vulnerability exists due to improper restriction of excessive authentication attempts in the /admin/check endpoint in AuthenticationController when handling unauthenticated 2FA token submissions with an arbitrary user-id. A remote attacker can send repeated crafted POST requests with arbitrary user-id and token values to bypass two-factor authentication and gain full administrative access.

The endpoint is reachable without a prior authenticated session and does not bind the 2FA check to a password-verified login flow.

6) Incorrect authorization (CVE-ID: N/A)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to incorrect authorization in admin-api routes when handling requests to backend management API endpoints. A remote user can send a request to admin-only API endpoints to disclose sensitive information.

Depending on enabled features, exposed data may include version status, health-check information, LDAP configuration details, and Elasticsearch or OpenSearch status and statistics.

7) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser and disclose sensitive information.

The vulnerability exists due to improper neutralization of input during web page generation in search result rendering in search.twig and SearchController.php when processing stored FAQ content in search results. A remote privileged user can store HTML-entity-encoded script payloads in FAQ content to execute arbitrary script in a victim's browser and disclose sensitive information.

User interaction is required when a victim visits a search results page containing the poisoned content, and the issue can affect unauthenticated visitors as well as administrators.

8) Missing Authorization (CVE-ID: N/A)

The vulnerability allows a remote user to disclose configuration metadata.

The vulnerability exists due to missing authorization in ConfigurationTabController admin API endpoints when handling authenticated requests to configuration tab endpoints. A remote user can send requests to the affected /admin/api/configuration endpoints to disclose configuration metadata.

The issue affects 12 GET endpoints and exposes details such as the permission model, active template, cache backend, mail provider, translation provider, and release environment.

9) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser within the application origin.

The vulnerability exists due to improper neutralization of input during web page generation in SvgSanitizer::decodeAllEntities() when processing uploaded SVG files containing deeply nested entity-encoded javascript: links. A remote user can upload a specially crafted SVG file to execute arbitrary JavaScript in a victim's browser within the application origin.

User interaction is required, as the victim must click the malicious link embedded in the rendered SVG.

10) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the FAQ creation and update endpoints and Twig rendering templates when processing crafted FAQ question or answer content. A remote user can submit specially crafted FAQ content to execute arbitrary script in a victim's browser.

User interaction is required when a victim views the compromised FAQ entry or related search results.

11) Missing Authorization (CVE-ID: N/A)

The vulnerability allows a remote user to delete tags.

The vulnerability exists due to improper access control in TagController::delete() endpoint when handling DELETE requests to /admin/api/content/tags/{tagId}. A remote user can send a crafted delete request for an arbitrary tag ID to delete tags.

The affected endpoint does not enforce the FAQ_EDIT permission, and frontend user sessions are accepted for admin API requests.

12) Incorrect authorization (CVE-ID: N/A)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to incorrect authorization in AbstractAdministrationController::userHasPermission() when handling requests for permission-protected admin pages. A remote user can request a protected admin page URL to disclose sensitive information.

The issue affects admin controllers that continue execution after sending a forbidden page, causing the HTTP response to include protected admin content.

13) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in Utils::parseUrl() and comment rendering when rendering stored comment content containing a crafted URL. A remote user can submit a specially crafted comment to execute arbitrary script in a victim's browser.

Only instances with main.enableCommentEditor enabled are vulnerable. User interaction is required to view the affected FAQ or News page or the admin comment panel.

Remediation

Install update from vendor's website.

SB20260505101 - Multiple vulnerabilities in phpMyFAQ

Breakdown by Severity

Description

Remediation

References

Please verify you're human