CVE-2024-28107

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 3.2.6

Description A SQL injection vulnerability has been discovered in the insertentry and saveentry functions when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve remote code execution. The vulnerability can be exploited by modifying the email and notes parameters in the body of the POST request to the /admin/?action=insertentry and /admin/?action=saveentry API endpoints.

Recommendations To resolve the issue, update phpMyFAQ to version 3.2.6 or later. As a temporary workaround, consider restricting access to the insertentry and saveentry functions until a patch is available. Additionally, restrict the use of the email and notes parameters in the affected API endpoints to minimize the risk of exploitation.