High severityNVD Advisory· Published Mar 25, 2024· Updated Aug 13, 2024
phpMyFAQ's File Upload Bypass at Category Image Leads to RCE
CVE-2024-28105
Description
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The category image upload function in phpmyfaq is vulnerable to manipulation of the Content-type and lang parameters, allowing attackers to upload malicious files with a .php extension, potentially leading to remote code execution (RCE) on the system. This vulnerability is fixed in 3.2.6.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyfaq/phpmyfaqPackagist | >= 3.2.5, < 3.2.6 | 3.2.6 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-pwh2-fpfr-x5gfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28105ghsaADVISORY
- github.com/thorsten/phpMyFAQ/commit/9136883776af67dfdb0e8cf14f5e0ca22bf4f2e7ghsax_refsource_MISCWEB
- github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pwh2-fpfr-x5gfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.