Phpmyfaq
by PhpMyAdmin
Source repositories
CVEs (56)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-11187 | Cri | 0.64 | 9.8 | 0.01 | Jul 12, 2017 | phpMyFAQ before 2.9.8 does not properly mitigate brute-force attacks that try many passwords in attempted logins quickly. | ||
| CVE-2017-15808 | Hig | 0.60 | 8.8 | 0.01 | Oct 23, 2017 | In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. | ||
| CVE-2017-15730 | Hig | 0.60 | 8.8 | 0.02 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. | ||
| CVE-2017-15733 | Hig | 0.57 | 8.8 | 0.01 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/ajax.attachment.php and admin/att.main.php. | ||
| CVE-2017-15732 | Hig | 0.57 | 8.8 | 0.01 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/news.php. | ||
| CVE-2017-15731 | Hig | 0.57 | 8.8 | 0.01 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.adminlog.php. | ||
| CVE-2017-15729 | Hig | 0.57 | 8.8 | 0.01 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for adding a glossary. | ||
| CVE-2014-6046 | Hig | 0.53 | 8.8 | 0.02 | Aug 28, 2018 | Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open… | ||
| CVE-2017-15735 | Hig | 0.53 | 8.8 | 0.01 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. | ||
| CVE-2017-15734 | Hig | 0.53 | 8.8 | 0.01 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. | ||
| CVE-2026-35671 | Hig | 0.50 | 8.8 | 0.00 | May 28, 2026 | phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials… | ||
| CVE-2026-34728 | Hig | 0.50 | 8.7 | 0.01 | Apr 2, 2026 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload… | ||
| CVE-2018-16651 | Hig | 0.47 | 7.2 | 0.01 | Sep 7, 2018 | The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports. | ||
| CVE-2026-35676 | Hig | 0.46 | 8.2 | 0.00 | May 28, 2026 | phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password… | ||
| CVE-2026-35675 | Hig | 0.46 | 8.2 | 0.00 | May 28, 2026 | phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain… | ||
| CVE-2014-6045 | Hig | 0.43 | 7.2 | 0.02 | Aug 28, 2018 | SQL injection vulnerability in phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via vectors involving the restore function. | ||
| CVE-2017-14619 | Med | 0.43 | 6.1 | 0.02 | Sep 20, 2017 | Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module. | ||
| CVE-2026-35672 | Hig | 0.42 | 7.5 | 0.00 | May 28, 2026 | phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject… | ||
| CVE-2018-15899 | Med | 0.40 | 6.1 | 0.01 | Aug 27, 2018 | An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability. | ||
| CVE-2017-15809 | Med | 0.40 | 6.1 | 0.01 | Oct 23, 2017 | In phpMyFaq before 2.9.9, there is XSS in admin/tags.main.php via a crafted tag. |
- risk 0.64cvss 9.8epss 0.01
phpMyFAQ before 2.9.8 does not properly mitigate brute-force attacks that try many passwords in attempted logins quickly.
- risk 0.60cvss 8.8epss 0.01
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php.
- risk 0.60cvss 8.8epss 0.02
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php.
- risk 0.57cvss 8.8epss 0.01
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/ajax.attachment.php and admin/att.main.php.
- risk 0.57cvss 8.8epss 0.01
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/news.php.
- risk 0.57cvss 8.8epss 0.01
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.adminlog.php.
- risk 0.57cvss 8.8epss 0.01
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for adding a glossary.
- risk 0.53cvss 8.8epss 0.02
Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open…
- risk 0.53cvss 8.8epss 0.01
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary.
- risk 0.53cvss 8.8epss 0.01
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php.
- risk 0.50cvss 8.8epss 0.00
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials…
- risk 0.50cvss 8.7epss 0.01
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload…
- risk 0.47cvss 7.2epss 0.01
The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports.
- risk 0.46cvss 8.2epss 0.00
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password…
- risk 0.46cvss 8.2epss 0.00
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain…
- risk 0.43cvss 7.2epss 0.02
SQL injection vulnerability in phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via vectors involving the restore function.
- risk 0.43cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.
- risk 0.42cvss 7.5epss 0.00
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject…
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability.
- risk 0.40cvss 6.1epss 0.01
In phpMyFaq before 2.9.9, there is XSS in admin/tags.main.php via a crafted tag.
Page 1 of 3