CVE-2023-53929

Name of the Vulnerable Software and Affected Versions phpMyFAQ version 3.1.12

Description The software contains a CSV injection flaw that permits authenticated users to inject malicious formulas into their profile names. An attacker can modify their user profile name with a payload such as 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict the characters allowed in user profile names to prevent the injection of malicious formulas.