PT-2026-41354 · Phpmyfaq · Phpmyfaq
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
phpMyFAQ versions prior to 4.1.2
Description
Missing permission checks in
ConfigurationTabController.php allow any authenticated user to enumerate system configuration metadata, violating least privilege access control. Twelve endpoints under the /admin/api/configuration path incorrectly use the userIsAuthenticated() function, which only verifies if a user is logged in, instead of the userHasPermission(CONFIGURATION EDIT) function, which verifies specific administrative privileges.This allows users without administrative rights to discover sensitive infrastructure details through the following endpoints:
/configuration/translations/configuration/templates/configuration/faqs-sorting-key/{current}/configuration/faqs-sorting-order/{current}/configuration/faqs-sorting-popular/{current}/configuration/perm-level/{current}/configuration/release-environment/{current}/configuration/search-relevance/{current}/configuration/seo-metatags/{current}/configuration/translation-provider/{current}/configuration/mail-provider/{current}/configuration/cache-adapter/{current}
Exposed information includes the permission model, active templates, cache backend (such as redis or memcached), mail provider, translation service, and whether the environment is set to development or production.
Recommendations
Update to version 4.1.2 or later.
As a temporary workaround, restrict access to the
/admin/api/configuration endpoints to only trusted administrative users at the network or server level.Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Phpmyfaq