CVE-2024-28107
published 2024-03-25CVE-2024-28107: phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. A SQL injection vulnerability has been discovered in the…
PriorityP349high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.97%
57.4th percentile
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. A SQL injection vulnerability has been discovered in the `insertentry` & `saveentry` when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. This vulnerability is fixed in 3.2.6.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpmyfaq | phpmyfaq | — | — |
| phpmyfaq | phpmyfaq | >= 3.2.5 < 3.2.6 | 3.2.6 |
| thorsten | phpmyfaq | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
phpMyFAQ SQL injections at insertentry & saveentry
osv·2024-03-25
CVE-2024-28107 [HIGH] phpMyFAQ SQL injections at insertentry & saveentry
phpMyFAQ SQL injections at insertentry & saveentry
### Summary
A SQL injection vulnerability has been discovered in the `insertentry` & `saveentry` when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE.
### PoC 1 - SQL Injection at insertentry:
1. Browse to “/admin/?action=editentry”, edit record and save. Intercept the POST request to "/admin/?action=insertentry" and modify the email and notes parameters in the body to the payloads below:
a. `email=test'/*@email.com`
b. `notes=*/,1,1,1,1,null,1);select+pg_sleep(5)--`
2. Send the request and notice the `pg_sleep(5)` command is executed with a time
GHSA
phpMyFAQ SQL injections at insertentry & saveentry
ghsa·2024-03-25
CVE-2024-28107 [HIGH] CWE-89 phpMyFAQ SQL injections at insertentry & saveentry
phpMyFAQ SQL injections at insertentry & saveentry
### Summary
A SQL injection vulnerability has been discovered in the `insertentry` & `saveentry` when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE.
### PoC 1 - SQL Injection at insertentry:
1. Browse to “/admin/?action=editentry”, edit record and save. Intercept the POST request to "/admin/?action=insertentry" and modify the email and notes parameters in the body to the payloads below:
a. `email=test'/*@email.com`
b. `notes=*/,1,1,1,1,null,1);select+pg_sleep(5)--`
2. Send the request and notice the `pg_sleep(5)` command is executed with a time
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/thorsten/phpMyFAQ/commit/d0fae62a72615d809e6710861c1a7f67ac893007https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-2grw-mc9r-822rhttps://github.com/thorsten/phpMyFAQ/commit/d0fae62a72615d809e6710861c1a7f67ac893007https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-2grw-mc9r-822r
2024-03-25
Published