VYPR
← All advisories
High severityNVD Advisory· Published Oct 31, 2023· Updated Sep 17, 2024

Insufficient Session Expiration in thorsten/phpmyfaq

CVE-2023-5865

Description

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2023-5865: Insufficient session expiration in phpMyFAQ before 3.2.2 allows persisted sessions after permission changes.

Vulnerability

Description

CVE-2023-5865 is an insufficient session expiration vulnerability in phpMyFAQ, an open-source FAQ web application, affecting versions prior to 3.2.2 [1]. The root cause lies in the user permission update process: when an administrator modifies a user's permissions (e.g., granting or revoking rights), the affected user's existing session is not invalidated [3]. This allows the user to continue using the application with the old, potentially elevated privileges until they log out or their session naturally expires.

Exploitation

Mechanism

An attacker who already holds a valid session with certain permissions can exploit this flaw if an administrator later changes those permissions without invalidating the existing session [2]. The attack requires an authenticated user session; the vulnerability is triggered via the administrative user management interface (e.g., activate_user action) [3]. The commit fixing the issue shows that a terminateSessionId() method was added to clear the session ID from the database when a user's rights are updated [3].

Impact

If exploited, this vulnerability could lead to unauthorized access or privilege escalation. A user whose permissions were revoked (e.g., from admin to regular user) could still perform actions as if they retained the higher privileges, potentially accessing sensitive data or administrative functions [2]. The CVSS v3.1 score is 6.5 (Medium), reflecting the need for an authenticated session and administrative action to change permissions [2].

Mitigation

The vulnerability is patched in phpMyFAQ version 3.2.2 [1][2]. Users should upgrade immediately to this version or later. The fix ensures that when a user's permissions are updated, their active session is terminated, forcing them to log in again with the new permissions [3]. No workarounds are documented, and this issue is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. GitHub - thorsten/phpMyFAQ: phpMyFAQ - Open Source FAQ web application for PHP 8.3+ and MySQL, PostgreSQL and other databases
  2. NVD - CVE-2023-5865
  3. fix: terminate user sessions for user with changed permissions · thorsten/phpMyFAQ@5f43786

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
thorsten/phpmyfaqPackagist
< 3.2.23.2.2

Affected products

2

Patches

1
5f43786f52c3

fix: terminate user sessions for user with changed permissions

https://github.com/thorsten/phpmyfaqThorsten RinneSep 22, 2023via ghsa
commit
4 files changed · +20 3
  • phpmyfaq/admin/api/user.php+1 2 modified
    @@ -115,8 +115,7 @@
 
         case 'activate_user':
             $postData = json_decode(file_get_contents('php://input', true));
-
-            if (!Token::getInstance()->verifyToken('user', $postData->csrfToken)) {
+            if (!Token::getInstance()->verifyToken('activate-user', $postData->csrfToken)) {
                 $response->setStatusCode(Response::HTTP_UNAUTHORIZED);
                 $response->setData(['error' => Translation::get('err_NotAuth')]);
                 $response->send();
  • phpmyfaq/admin/assets/src/user/user-list.js+1 1 modified
    @@ -18,7 +18,7 @@
 import { addElement } from '../../../../assets/src/utils';
 
 const activateUser = (userId, csrfToken) => {
-  fetch('index.php?action=ajax&ajax=user&ajaxaction=delete_user', {
+  fetch('index.php?action=ajax&ajax=user&ajaxaction=activate_user', {
     method: 'POST',
     headers: {
       Accept: 'application/json, text/plain, */*',
  • phpmyfaq/admin/user.php+3 0 modified
    @@ -94,7 +94,10 @@
             foreach ($userRights as $rightId) {
                 $perm->grantUserRight($userId, $rightId);
             }
+
             $idUser = $user->getUserById($userId, true);
+            // Terminate session in case of different permissions after the update
+            $user->terminateSessionId();
             $message .= sprintf(
                 '<p class="alert alert-success">%s <strong>%s</strong> %s</p>',
                 Translation::get('ad_msg_savedsuc_1'),
  • phpmyfaq/src/phpMyFAQ/User.php+15 0 modified
    @@ -1037,4 +1037,19 @@ public function setSuperAdmin(bool $isSuperAdmin): bool
 
         return false;
     }
+
+    /**
+     * Terminates the session ID of user
+     * @return bool
+     */
+    public function terminateSessionId(): bool
+    {
+        $update = sprintf(
+            "UPDATE %sfaquser SET session_id = '' WHERE user_id = %d",
+            Database::getTablePrefix(),
+            $this->userId
+        );
+
+        return (bool) $this->config->getDb()->query($update);
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.