CVE-2024-54141
published 2024-12-06CVE-2024-54141: phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.48%
37.7th percentile
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpmyfaq | phpmyfaq | — | — |
| thorsten | phpmyfaq | < 4.0.0 | 4.0.0 |
| thorsten | phpmyfaq | >= 0 < 4.0.0 | 4.0.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available
osv·2024-12-06
CVE-2024-54141 [HIGH] phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available
phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available
### Summary
Exposure of database (ie postgreSQL) server's credential when connection to DB fails.
### Details
Exposed database credentials upon misconfig/DoS @ permalink: https://github.com/thorsten/phpMyFAQ/blob/main/phpmyfaq/src/phpMyFAQ/Setup/Installer.php#L694
### PoC
When postgreSQL server is unreachable, an error would be thrown exposing the credentials of the database. For instance, when "http://:8080/setup/index.php" is hit when the database instance/server is down, then credentials are exposed, for instance:
```
( ! ) Warning: pg_connect(): Unable to connect to PostgreSQL server: connection to server at "127.0.0.1", port 5432 failed: Connection refused Is the server running
GHSA
phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available
ghsa·2024-12-06
CVE-2024-54141 [HIGH] CWE-209 phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available
phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available
### Summary
Exposure of database (ie postgreSQL) server's credential when connection to DB fails.
### Details
Exposed database credentials upon misconfig/DoS @ permalink: https://github.com/thorsten/phpMyFAQ/blob/main/phpmyfaq/src/phpMyFAQ/Setup/Installer.php#L694
### PoC
When postgreSQL server is unreachable, an error would be thrown exposing the credentials of the database. For instance, when "http://:8080/setup/index.php" is hit when the database instance/server is down, then credentials are exposed, for instance:
```
( ! ) Warning: pg_connect(): Unable to connect to PostgreSQL server: connection to server at "127.0.0.1", port 5432 failed: Connection refused Is the server running
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-06
Published