VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 5, 2023· Updated Feb 10, 2025

Improper Access Control in thorsten/phpmyfaq

CVE-2023-1883

Description

Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyFAQ prior to 3.1.12 has an improper access control vulnerability allowing unauthenticated users to post comments on inactive FAQs or news.

Vulnerability

The vulnerability is an improper access control in the comment submission functionality of phpMyFAQ, affecting versions prior to 3.1.12 [1]. The root cause is that the commentDisabled check did not verify whether the FAQ or news item was still active before allowing comment submission [2]. This means comments could be posted on deactivated content, which contradicts the intended access control policies [3].

Exploitation

Exploitation requires only the ability to submit a comment on a FAQ or news item [3]. The attacker does not need authentication, as the comment submission API appears to be publicly accessible in certain use cases [2]. By sending a crafted POST request to the comment endpoint, an attacker can bypass the missing active check and add comments to content that should be inactive [3]. The fix adds an isActive method that checks the active field in the database table [3].

Impact

An attacker can inject comments into inactive FAQs or news entries, potentially spreading misinformation or malicious links on a site that expects such content to be disabled [4]. This can undermine the integrity of the knowledge base and damage the trust of users who rely on phpMyFAQ for accurate information [1]. The impact is limited to comment injection; there is no evidence of data exfiltration or privilege escalation from this CVE.

Mitigation

The vendor addressed this vulnerability in phpMyFAQ version 3.1.12 [2]. Users should upgrade to this version or later, applying the commit that adds the isActive check to the comment submission logic [3]. There is no known workaround, and the project recommends upgrading as the only mitigation [1].

References
  1. GitHub - thorsten/phpMyFAQ: phpMyFAQ - Open Source FAQ web application for PHP 8.3+ and MySQL, PostgreSQL and other databases
  2. NVD - CVE-2023-1883
  3. fix: added check if news or FAQs are active · thorsten/phpMyFAQ@db77df8
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
thorsten/phpmyfaqPackagist
< 3.1.123.1.12

Affected products

3

Patches

1
db77df888178

fix: added check if news or FAQs are active

https://github.com/thorsten/phpmyfaqThorsten RinneFeb 14, 2023via ghsa
commit
2 files changed · +36 8
  • phpmyfaq/ajaxservice.php+2 7 modified
    @@ -185,13 +185,8 @@
         }
 
         if (
-            !is_null($username) && !is_null($mailer) && !is_null($comment) && $stopWords->checkBannedWord(
-                $comment
-            ) && !$faq->commentDisabled(
-                $id,
-                $languageCode,
-                $type
-            )
+            !is_null($username) && !is_null($mailer) && !is_null($comment) && $stopWords->checkBannedWord($comment) &&
+            !$faq->commentDisabled($id, $languageCode, $type) && !$faq->isActive($id, $languageCode, $type)
         ) {
             try {
                 $faqSession->userTracking('save_comment', $id);
  • phpmyfaq/src/phpMyFAQ/Faq.php+34 1 modified
    @@ -1258,6 +1258,39 @@ public function hasTranslation(int $recordId, string $recordLang): bool
         return false;
     }
 
+    public function isActive(int $recordId, string $recordLang, string $commentType = 'faq'): bool
+    {
+        if ('news' === $commentType) {
+            $table = 'faqnews';
+        } else {
+            $table = 'faqdata';
+        }
+
+        $query = sprintf(
+            "
+            SELECT
+                active
+            FROM
+                %s%s
+            WHERE
+                id = %d
+            AND
+                lang = '%s'",
+            Database::getTablePrefix(),
+            $table,
+            $recordId,
+            $this->config->getDb()->escape($recordLang)
+        );
+
+        $result = $this->config->getDb()->query($query);
+
+        if ($row = $this->config->getDb()->fetchObject($result)) {
+            return !(($row->active === 'y' || $row->active === 'yes'));
+        } else {
+            return true;
+        }
+    }
+
     /**
      * Checks, if comments are disabled for the FAQ record.
      *
@@ -1268,7 +1301,7 @@ public function hasTranslation(int $recordId, string $recordLang): bool
      */
     public function commentDisabled(int $recordId, string $recordLang, string $commentType = 'faq'): bool
     {
-        if ('news' == $commentType) {
+        if ('news' === $commentType) {
             $table = 'faqnews';
         } else {
             $table = 'faqdata';

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.