Publish Advisories

GHSA-7p9h-m7m8-vhhv
GHSA-j4rc-96xj-gvqc
GHSA-wm8h-26fv-mg7g

Author: advisory-database[bot]

advisories/github-reviewed/2026/01/GHSA-7p9h-m7m8-vhhv/GHSA-7p9h-m7m8-vhhv.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7p9h-m7m8-vhhv",
-  "modified": "2026-01-23T20:17:16Z",
+  "modified": "2026-01-23T21:12:28Z",
   "published": "2026-01-23T20:17:16Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-24420"
+  ],
   "summary": "phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)",
   "details": "### Summary\nA logged‑in user without the dlattachment right can download FAQ attachments. This is due to a permissive permission check in attachment.php that treats the mere presence of a right key as authorization and a flawed group/user logic expression.\n\n### Details\nIn attachment.php, the access decision uses:\n```($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment'])```\nisset() returns true even when the right value is false, and the logic simplifies to $groupPermission for some permission modes. As a result, a user without dlattachment can still access the attachment.\n\n### PoC\nPrecondition: A non‑admin user exists; an attachment is associated to a FAQ record; records.allowDownloadsForGuests = false.\nLog in as a non‑admin user without dlattachment.\nRequest the attachment download endpoint.\n```\ncurl -c /tmp/pmf_api_cookies.txt \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"username\":\"tester\",\"password\":\"Test1234!\"}' \\\n  http://192.168.40.16/phpmyfaq/api/v3.0/login\n\ncurl -i -b /tmp/pmf_api_cookies.txt \\\n  \"http://192.168.40.16/phpmyfaq/index.php?action=attachment&id=1\"\n```\n\n### Impact\nUnauthorized users can download attachments (confidentiality breach). Depending on content, this may expose sensitive documents.",
   "severity": [

advisories/github-reviewed/2026/01/GHSA-j4rc-96xj-gvqc/GHSA-j4rc-96xj-gvqc.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j4rc-96xj-gvqc",
-  "modified": "2026-01-23T20:17:33Z",
+  "modified": "2026-01-23T21:12:42Z",
   "published": "2026-01-23T20:17:33Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-24422"
+  ],
   "summary": "phpMyFAQ: Public API endpoints expose emails and invisible questions",
   "details": "### Summary\nSeveral public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false).\n\n### Details\nOpenQuestionController::list() calls Question::getAll() with the default showAll=true, returning invisible questions and their emails. Similar exposures exist in comment/news/faq APIs.\n\n### PoC\n```\ncurl -i -H 'Accept-Language: en' \\\n  http://192.168.40.16/phpmyfaq/api/v3.0/open-questions\n```\n\n### Impact\nPrivacy exposure of email addresses and non‑public content; increased risk of phishing/scraping.",
   "severity": [

advisories/github-reviewed/2026/01/GHSA-wm8h-26fv-mg7g/GHSA-wm8h-26fv-mg7g.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wm8h-26fv-mg7g",
-  "modified": "2026-01-23T20:17:25Z",
+  "modified": "2026-01-23T21:12:35Z",
   "published": "2026-01-23T20:17:25Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-24421"
+  ],
   "summary": "phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)",
   "details": "### Summary\nAuthenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.\n\n### Details\nSetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path.\n\n### PoC\nPrecondition: API enabled, any authenticated non‑admin user.\n- Log in as a non‑admin user.\n- Call backup endpoint.\n```\ncurl -c /tmp/pmf_api_cookies.txt \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"username\":\"tester\",\"password\":\"Test1234!\"}' \\\n  http://192.168.40.16/phpmyfaq/api/v3.0/login\n\ncurl -i -b /tmp/pmf_api_cookies.txt \\\n  -X POST --data '4.0.16' \\\n  http://192.168.40.16/phpmyfaq/api/setup/backup\n```\n\n### Impact\nLow‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.",
   "severity": [