← back
CVE-2024-55889

phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames

CVSS 4.9 MEDIUMEPSS 2.1%CWE-451
phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Affected products
thorsten · phpMyFAQ
public PoCs found1
exploitdbwww.exploit-db.com/exploits/52235unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711dhttps://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc