Moderate severityNVD Advisory· Published Oct 31, 2023· Updated Sep 5, 2024

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in thorsten/phpmyfaq

CVE-2023-5866

Description

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In phpMyFAQ prior to 3.2.1, session cookies lack the Secure attribute, enabling potential interception over unencrypted connections.

Vulnerability

Overview

CVE-2023-5866 identifies a missing 'Secure' attribute on cookies set during HTTPS sessions in phpMyFAQ versions prior to 3.2.1. The session cookie is set without the Secure flag, meaning it can be transmitted over unencrypted HTTP connections if the user navigates from HTTPS to HTTP or if the site is accessed via an insecure channel. The root cause is in the setSession method of the phpMyFAQ\Session\Token class, where the cookie is set using setcookie() without specifying the 'secure' parameter [1][3].

Exploitation

An attacker on the same network (e.g., public Wi-Fi) can intercept session cookies by performing a man-in-the-middle (MITM) attack if the user's browser sends the cookie over an HTTP connection. The prerequisite is that the phpMyFAQ instance is served over HTTPS but the cookie lacks the Secure attribute, allowing it to be inadvertently transmitted over HTTP when the user follows an HTTP link or when the site is accessed via an insecure connection. No authentication is required for the attacker; they only need network access to capture the unencrypted traffic [2][4].

Impact

Successful exploitation allows an attacker to hijack an authenticated user's session, gaining unauthorized access to the phpMyFAQ application with the same privileges as the victim. This can lead to data exposure, configuration changes, or arbitrary actions within the FAQ system [2][4].

Mitigation

The vulnerability is fixed in commit fdacff1 (Reference [3]), which adds the 'secure' attribute based on whether the request is HTTPS. The fix was included in phpMyFAQ version 3.2.1. Users should upgrade to version 3.2.1 or later. Alternatively, users can manually apply the patch from the commit [1][3][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
thorsten/phpmyfaqPackagist	< 3.2.1	3.2.1

Affected products

ghsa-coords
pkg:composer/thorsten/phpmyfaq
Range: < 3.2.1
thorsten/thorsten/phpmyfaqv5
Range: unspecified

Patches

fdacff14acd5

fix: improved check on secure flag for cookies

https://github.com/thorsten/phpmyfaqThorsten RinneSep 9, 2023via ghsa

commit

2 files changed · +20 −5

phpmyfaq/src/phpMyFAQ/Session.php+1 −4 modified

@@ -397,10 +397,7 @@ public function userTracking(string $action, int|string $data = null): void
      */
     public function setCookie(string $name, int|string|null $sessionId, int $timeout = 3600): bool
     {
-        $secure = false;
-        if (isset($_SERVER['HTTPS']) && strtoupper((string) $_SERVER['HTTPS']) === 'ON') {
-            $secure = true;
-        }
+        $secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] === 443;
 
         return setcookie(
             $name,

phpmyfaq/src/phpMyFAQ/Session/Token.php+19 −1 modified

@@ -18,6 +18,8 @@
 namespace phpMyFAQ\Session;
 
 use Exception;
+use phpMyFAQ\Configuration;
+use phpMyFAQ\System;
 
 class Token
 {
@@ -186,7 +188,18 @@ private function setSession(string $page, int $expiry): Token
             ->setSessionToken(md5(base64_encode(random_bytes(32))))
             ->setCookieToken(md5(base64_encode(random_bytes(32))));
 
-        setcookie($token->getCookieName($page), $token->getCookieToken(), ['expires' => $token->getExpiry()]);
+        setcookie(
+            $token->getCookieName($page),
+            $token->getCookieToken(),
+            [
+                'expires' => $token->getExpiry(),
+                'path' => dirname((string) $_SERVER['SCRIPT_NAME']),
+                'domain' => parse_url(Configuration::getConfigurationInstance()->getDefaultUrl(), PHP_URL_HOST),
+                'samesite' => 'strict',
+                'secure' => $this->isSecure(),
+                'httponly' => true,
+            ]
+        );
 
         return $_SESSION[self::PMF_SESSION_NAME][$page] = $token;
     }
@@ -195,4 +208,9 @@ private function getCookieName(string $page): string
     {
         return sprintf('%s-%s', self::PMF_SESSION_NAME, substr(md5($page), 0, 10));
     }
+
+    private function isSecure(): bool
+    {
+        return (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] === 443;
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-34w4-wrqp-j47gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-5866ghsaADVISORY
github.com/thorsten/phpmyfaq/commit/fdacff14acd5e69841068f0e32b59e2d1b1d0d55ghsaWEB
huntr.com/bounties/ec44bcba-ae7f-497a-851e-8165ecf56945ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000