SCA: security update for phpmyfaq/phpmyfaq (GHSA-6648-6g96-mg35)

medium Tenable Self-Hosted Container Security Plugin ID 411232

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases.
phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a
compelling phishing case for removing another user's account. The front-end of this page doesn't allow
changing the form details, an attacker can utilize a proxy to intercept this request and submit other
data. Upon submitting this form, an email is sent to the administrator informing them that this user wants
to delete their account. An administrator has no way of telling the difference between the actual user
wishing to delete their account or the attacker issuing this for an account they do not control. This
issue has been patched in version 3.2.5. (CVE-2024-22202)

See Also

https://github.com/advisories/GHSA-6648-6g96-mg35

Plugin Details

Severity: Medium

ID: 411232

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.66

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:N

CVSS Score Source: CVE-2024-22202

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/5/2024

Vulnerability Publication Date: 2/5/2024

Reference Information

CVE: CVE-2024-22202

cwe: CWE-284