CVE-2014-6046
Description
Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open questions, (3) activate users, (4) publish FAQs, (5) add or delete Glossary, (6) add or delete FAQ news, or (7) add or delete comments or add votes by leveraging lack of a CSRF token.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyFAQ before 2.8.13 contains multiple CSRF vulnerabilities allowing authentication bypass and unauthorized actions.
Vulnerability
phpMyFAQ versions up to 2.8.12 contain multiple cross-site request forgery (CSRF) vulnerabilities. The 'delete user' functionality improperly validates CSRF tokens, and other operations (deleting open questions, activating users, publishing FAQs, adding/deleting Glossary, adding/deleting FAQ news, adding/deleting comments, or adding votes) lack a CSRF token entirely. These issues are documented in advisory [1] and tracked as CVE-2014-6046.
Exploitation
An attacker can craft a malicious request that, when sent to an authenticated admin or user, executes unauthorized actions. The attacker must trick the victim into visiting a crafted page or clicking a link while they are authenticated. For the 'delete user' operation, improper CSRF token validation allows the exploit; for other operations, the complete absence of CSRF tokens facilitates the attack. No special network position is required beyond the ability to deliver the crafted request.
Impact
Successful exploitation allows an attacker to perform administrative actions on behalf of the victim, such as deleting active users, deleting open questions, activating users, publishing FAQs, modifying Glossary entries, altering FAQ news, changing comments, or casting votes. This leads to unauthorized modification of FAQ data and potential privilege escalation, compromising the integrity and availability of the application.
Mitigation
The phpMyFAQ team released version 2.8.13 to fix these CSRF vulnerabilities [1]. All users should upgrade immediately. No workaround exists except installing the patched version.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<2.8.13+ 1 more
- (no CPE)range: <2.8.13
- (no CPE)range: <2.8.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- techdefencelabs.com/security-advisories.htmlmitrex_refsource_MISC
- www.phpmyfaq.de/security/advisory-2014-09-16mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.