https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-06-28T19:00:58.181339+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/f8f44235-d0c6-404c-93c8-e02bf713ecfd/exportf8f44235-d0c6-404c-93c8-e02bf713ecfd2026-06-28T19:00:58.188344+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "f8f44235-d0c6-404c-93c8-e02bf713ecfd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-985R-Q3QP-299H", "type": "seen", "source": "https://gist.github.com/alon710/e9c21cf2a4b3d2c5f2db0a4799f8c878", "content": "# GHSA-985R-Q3QP-299H: GHSA-985R-Q3QP-299H: Incomplete Fix in phpMyFAQ Admin API Enables Privilege Escalation and Account Takeover\n\n> **CVSS Score:** 8.8\n> **Published:** 2026-06-26\n> **Full Report:** https://cvereports.com/reports/GHSA-985R-Q3QP-299H\n\n## Summary\nAn incomplete mitigation of a predecessor vulnerability (GHSA-xvp4-phqj-cjr3 / CVE-2026-35671) in phpMyFAQ leaves sister administrative API endpoints vulnerable to Insecure Direct Object Reference (IDOR). Specifically, the `editUser` and `updateUserRights` endpoints lack object-level access controls, permitting authenticated low-privilege administrators to escalate their privileges or hijack SuperAdmin accounts.\n\n## TL;DR\nAn incomplete security patch in phpMyFAQ allows low-privilege administrative accounts to bypass authorization controls. By submitting crafted requests to vulnerable API endpoints, attackers can modify SuperAdmin account profiles or elevate their own privileges, resulting in full application takeover.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-639\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 8.8\n- **EPSS Score**: Not Available\n- **Vulnerability Type**: Insecure Direct Object Reference (IDOR)\n- **Impact**: Privilege Escalation & Account Takeover\n- **Exploit Status**: poc\n- **KEV Status**: No\n\n## Affected Systems\n\n- phpMyFAQ deployments with administrative API routes enabled\n- **phpMyFAQ**: <= 4.1.3\n\n## Mitigation\n\n- Restrict network access to the admin panel via IP blocklists or VPN gateways.\n- Enable query-level logging to monitor parameters passed to user-modification endpoints.\n- Deploy WAF rules to detect and alert on unauthorized PUT requests containing administrative user IDs in the JSON payload.\n\n**Remediation Steps:**\n1. Identify the current phpMyFAQ deployment version.\n2. Download and install the updated PHP package containing the complete authorization validation logic for UserController.\n3. Audit the administrative user list to verify that no unauthorized low-privilege users have changed their associated email addresses or group roles.\n4. Invalidate all active administrative sessions post-upgrade to enforce new access-control checks.\n\n## References\n\n- [GHSA-985R-Q3QP-299H Advisory Page](https://github.com/advisories/GHSA-985R-Q3QP-299H)\n- [Predecessor Advisory (GHSA-xvp4-phqj-cjr3)](https://github.com/advisories/GHSA-xvp4-phqj-cjr3)\n- [Vendor Code Repository](https://github.com/thorsten/phpMyFAQ)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-985R-Q3QP-299H) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T21:42:10.153034Z"}2026-06-26T21:42:10.153034+00:00