CVE-2024-54141

Name of the Vulnerable Software and Affected Versions: phpMyFAQ versions prior to 4.0.0

Description: The issue exposes database server credentials when a connection to the database fails. This can occur when the database instance or server is unreachable, resulting in an error that reveals the credentials. For example, when the PostgreSQL server is down, an error is thrown, exposing the database credentials. A remote attacker can exploit this to gain full control over the database by performing a denial of service on the database instance or server, causing the credentials to be exposed.

Recommendations: For versions prior to 4.0.0, update to version 4.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the database instance or server to minimize the risk of exploitation. Avoid using the phpMyFAQSetupInstaller class until the issue is resolved. Restrict access to the http://<phpmyfaq-instance>:8080/setup/index.php endpoint to prevent potential exploitation.