Guayu-Kakeru

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.3 **Description** An authentication bypass exists in API v4.0 due to the installation process seeding the `api.apiClientToken` variable with an empty string by default. The `hasValidToken()` function uses strict inequality to compare the configured token with the `x-pmf-token` header; when both are empty, the check evaluates to false, allowing unauthenticated access. This allows attackers to inject malicious content, such as phishing links or SEO spam, by creating or modifying FAQ entries, categories, and questions. Technical details include the following affected POST and PUT endpoints: - '/api/v4.0/faq/create' - '/api/v4.0/faq/update' - '/api/v4.0/category' - '/api/v4.0/question' The vulnerable variable used for token validation is `x-pmf-token`. **Recommendations** Update to version 4.1.3 or later. As a temporary workaround, explicitly configure a non-empty value for the `api.apiClientToken` in the system settings to ensure the authentication check cannot be bypassed with an empty header.