This advisory has been withdrawn because it is a duplicate of GHSA-hpgw-ww76-c68r. This link is maintained to preserve external references.

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.