Количество 2
Количество 2
CVE-2026-24421
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.
GHSA-wm8h-26fv-mg7g
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2026-24421 phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17. | CVSS3: 6.5 | 0% Низкий | 16 дней назад |
| GHSA-wm8h-26fv-mg7g phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing) | CVSS3: 6.5 | 0% Низкий | 16 дней назад |
Уязвимостей на страницу