CVE-2024-22208

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 3.2.5

Description The 'sharing FAQ' functionality in phpMyFAQ allows any unauthenticated actor to misuse the application to send arbitrary emails to a large range of targets. The front-end of this functionality allows any phpMyFAQ articles to be shared with 5 email addresses, but the backend does not limit the number of email addresses that can be sent with a single request. An attacker can solve a single CAPTCHA and send thousands of emails at once, utilizing the target application's email server to send phishing messages. This can lead to the server being blacklisted, causing all emails to end up in spam, and can also result in reputational damages.

Recommendations For versions prior to 3.2.5, update to version 3.2.5 to resolve the issue. As a temporary workaround, consider restricting access to the 'sharing FAQ' functionality to prevent unauthenticated actors from sending arbitrary emails. Additionally, monitor email server logs for suspicious activity and consider implementing additional security measures to prevent phishing attacks.