CVE-2024-27299

Name of the Vulnerable Software and Affected Versions phpMyFAQ version 3.2.5

Description A SQL injection vulnerability has been discovered in the "Add News" functionality due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve remote code execution. The vulnerable field lies in the authorEmail field which uses PHP's FILTER VALIDATE EMAIL filter. This filter is insufficient in protecting against SQL injection attacks and should still be properly escaped.

Recommendations For phpMyFAQ version 3.2.5, update to version 3.2.6 to fix the SQL injection vulnerability. As a temporary workaround, consider properly escaping the authorEmail field to prevent SQL injection attacks. Restrict access to the "Add News" functionality to minimize the risk of exploitation. Avoid using the authorEmail field in the affected API endpoint until the issue is resolved.