Main Vulnerability Database Vulnerabilities #VU130106

Path traversal in phpMyFAQ - CVE-2024-29196

Published: March 25, 2024 / Updated: May 5, 2026

Vulnerability identifier: #VU130106

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-29196

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
phpMyFAQ

Software vendor:
Thorsten Rinne

Description

The vulnerability allows a remote user to upload files to unintended locations within the web root.

The vulnerability exists due to path traversal in the attachment location setting when processing attachment upload paths. A remote privileged user can set a crafted attachment location and upload a file to upload files to unintended locations within the web root.

The issue affects the attachments feature and does not require user interaction.

Remediation

Install security update from vendor's website.

External links

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-mmh6-5cpf-2c72

Path traversal in phpMyFAQ - CVE-2024-29196

Description

Remediation

External links

Please verify you're human