GHSA-M3R7-8GW7-QWVC

Vulnerability from github – Published: 2024-12-13 20:36 – Updated: 2025-08-14 22:16
VLAI?
Summary
thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames
Details

Summary

A vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an element without user interaction or explicit consent.

Details

In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as "source code", pointing to a prior "malicious" attachment that the attacker has uploaded via FAQ "new attachment" upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions). image

PoC

  1. create a new FAQ record and upload a "malicious" file - in my case, I uploaded an eicar file. take note of the uri, ie

    <iframe "index.php?action=attachment&id=2" image

  2. in the FAQ record, insert a "source code" blob using the "< >" button

  3. insert in the following snippet:

    and save FAQ record
  4. once the edit page reloads, the malicious code will be downloaded onto the local machine without user interaction: image

(uploaded a POC for easy demonstration: https://roy.demo.phpmyfaq.de/admin/index.php?action=editentry&id=20&lang=en although a fresh installation overwrites this demo instance every 24 hours)

(as a logged in normal user, visit: https://roy.demo.phpmyfaq.de/content/1/20/en/20.html)

Impact

Malicious code or binaries could be dropped on visitors' machines when visiting the FAQ platform. Take a worm or ransomware for instance.

Severity ?
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-451"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-13T20:36:08Z",
    "nvd_published_at": "2024-12-13T14:15:22Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim\u0027s machine upon page visit by embedding it in an \u003ciframe\u003e element without user interaction or explicit consent. \n\n### Details\nIn http://localhost/admin/index.php?action=editentry\u0026id=20\u0026lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as \"source code\", pointing to a prior \"malicious\" attachment that the attacker has uploaded via FAQ \"new attachment\" upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions).\n![image](https://github.com/user-attachments/assets/74fee719-1eea-4bcb-9c7d-da0c5045c74b)\n\n### PoC\n\n1. create a new FAQ record and upload a \"malicious\" file - in my case, I uploaded an eicar file. take note of the uri, ie \u003cp\u003e\u003ciframe \"index.php?action=attachment\u0026amp;id=2\"\n![image](https://github.com/user-attachments/assets/06072ef6-9311-423a-a735-1d6a3274cde8)\n\n3. in the FAQ record, insert a \"source code\" blob using the \"\u003c \u003e\" button\n4. insert in the following snippet: \u003cp\u003e\u003ciframe src=\"index.php?action=attachment\u0026amp;id=2\"\u003e\u003c/iframe\u003e\u003c/p\u003e and save FAQ record\n5. once the edit page reloads, the malicious code will be downloaded onto the local machine without user interaction:\n![image](https://github.com/user-attachments/assets/b10e137f-de01-4268-8f9c-0b440ae45349)\n\n(uploaded a POC for easy demonstration: https://roy.demo.phpmyfaq.de/admin/index.php?action=editentry\u0026id=20\u0026lang=en\nalthough a fresh installation overwrites this demo instance every 24 hours)\n\n(as a logged in normal user, visit: https://roy.demo.phpmyfaq.de/content/1/20/en/20.html)\n\n### Impact\nMalicious code or binaries could be dropped on visitors\u0027 machines when visiting the FAQ platform. Take a worm or ransomware for instance.",
  "id": "GHSA-m3r7-8gw7-qwvc",
  "modified": "2025-08-14T22:16:40Z",
  "published": "2024-12-13T20:36:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.