cvelistv5 - CVE-2024-55889

CVE-2024-55889

Vulnerability from cvelistv5

Published

2024-12-13 13:44

Modified

2024-12-13 20:42

Severity ?

4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Summary

phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d
	security-advisories@github.com	https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc

Impacted products

	Vendor	Product	Version
	thorsten	phpMyFAQ	Version: < 3.2.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-55889",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-13T20:42:00.544690Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-13T20:42:24.897Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "phpMyFAQ",
          "vendor": "thorsten",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.2.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim\u0027s machine upon page visit by embedding it in an \u003ciframe\u003e element without user interaction or explicit consent. Version 3.2.10 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-451",
              "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-13T13:44:57.630Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc"
        },
        {
          "name": "https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d"
        }
      ],
      "source": {
        "advisory": "GHSA-m3r7-8gw7-qwvc",
        "discovery": "UNKNOWN"
      },
      "title": "phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-55889",
    "datePublished": "2024-12-13T13:44:57.630Z",
    "dateReserved": "2024-12-12T15:00:38.902Z",
    "dateUpdated": "2024-12-13T20:42:24.897Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-55889\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-12-13T14:15:22.653\",\"lastModified\":\"2024-12-13T21:15:13.483\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim\u0027s machine upon page visit by embedding it in an \u003ciframe\u003e element without user interaction or explicit consent. Version 3.2.10 fixes the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-451\"}]}],\"references\":[{\"url\":\"https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-55889\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-13T20:42:00.544690Z\"}}}], \"references\": [{\"url\": \"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-13T20:42:18.023Z\"}}], \"cna\": {\"title\": \"phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames\", \"source\": {\"advisory\": \"GHSA-m3r7-8gw7-qwvc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"thorsten\", \"product\": \"phpMyFAQ\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.2.10\"}]}], \"references\": [{\"url\": \"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc\", \"name\": \"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d\", \"name\": \"https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim\u0027s machine upon page visit by embedding it in an \u003ciframe\u003e element without user interaction or explicit consent. Version 3.2.10 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-451\", \"description\": \"CWE-451: User Interface (UI) Misrepresentation of Critical Information\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-12-13T13:44:57.630Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-55889\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-13T20:42:24.897Z\", \"dateReserved\": \"2024-12-12T15:00:38.902Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-12-13T13:44:57.630Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-m3r7-8gw7-qwvc

Vulnerability from github

Published

2024-12-13 20:36

Modified

2024-12-13 20:36

Severity ?

4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Summary

thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames

Details

Summary

A vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an element without user interaction or explicit consent.

Details

In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as "source code", pointing to a prior "malicious" attachment that the attacker has uploaded via FAQ "new attachment" upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions).

PoC

create a new FAQ record and upload a "malicious" file - in my case, I uploaded an eicar file. take note of the uri, ie
<iframe "index.php?action=attachment&id=2"
in the FAQ record, insert a "source code" blob using the "< >" button
insert in the following snippet:
and save FAQ record
once the edit page reloads, the malicious code will be downloaded onto the local machine without user interaction:

(uploaded a POC for easy demonstration: https://roy.demo.phpmyfaq.de/admin/index.php?action=editentry&id=20&lang=en although a fresh installation overwrites this demo instance every 24 hours)

(as a logged in normal user, visit: https://roy.demo.phpmyfaq.de/content/1/20/en/20.html)

Impact

Malicious code or binaries could be dropped on visitors' machines when visiting the FAQ platform. Take a worm or ransomware for instance.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-451"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-13T20:36:08Z",
    "nvd_published_at": "2024-12-13T14:15:22Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim\u0027s machine upon page visit by embedding it in an \u003ciframe\u003e element without user interaction or explicit consent. \n\n### Details\nIn http://localhost/admin/index.php?action=editentry\u0026id=20\u0026lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as \"source code\", pointing to a prior \"malicious\" attachment that the attacker has uploaded via FAQ \"new attachment\" upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions).\n![image](https://github.com/user-attachments/assets/74fee719-1eea-4bcb-9c7d-da0c5045c74b)\n\n### PoC\n\n1. create a new FAQ record and upload a \"malicious\" file - in my case, I uploaded an eicar file. take note of the uri, ie \u003cp\u003e\u003ciframe \"index.php?action=attachment\u0026amp;id=2\"\n![image](https://github.com/user-attachments/assets/06072ef6-9311-423a-a735-1d6a3274cde8)\n\n3. in the FAQ record, insert a \"source code\" blob using the \"\u003c \u003e\" button\n4. insert in the following snippet: \u003cp\u003e\u003ciframe src=\"index.php?action=attachment\u0026amp;id=2\"\u003e\u003c/iframe\u003e\u003c/p\u003e and save FAQ record\n5. once the edit page reloads, the malicious code will be downloaded onto the local machine without user interaction:\n![image](https://github.com/user-attachments/assets/b10e137f-de01-4268-8f9c-0b440ae45349)\n\n(uploaded a POC for easy demonstration: https://roy.demo.phpmyfaq.de/admin/index.php?action=editentry\u0026id=20\u0026lang=en\nalthough a fresh installation overwrites this demo instance every 24 hours)\n\n(as a logged in normal user, visit: https://roy.demo.phpmyfaq.de/content/1/20/en/20.html)\n\n### Impact\nMalicious code or binaries could be dropped on visitors\u0027 machines when visiting the FAQ platform. Take a worm or ransomware for instance. \n",
  "id": "GHSA-m3r7-8gw7-qwvc",
  "modified": "2024-12-13T20:36:08Z",
  "published": "2024-12-13T20:36:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames"
}

fkie_cve-2024-55889

Vulnerability from fkie_nvd

Published

2024-12-13 14:15

Modified

2024-12-13 21:15

Severity ?

4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d
	security-advisories@github.com	https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim\u0027s machine upon page visit by embedding it in an \u003ciframe\u003e element without user interaction or explicit consent. Version 3.2.10 fixes the issue."
    },
    {
      "lang": "es",
      "value": "phpMyFAQ es una aplicaci\u00f3n web de c\u00f3digo abierto para preguntas frecuentes. Antes de la versi\u00f3n 3.2.10, exist\u00eda una vulnerabilidad en el componente de registro de preguntas frecuentes por la que un atacante con privilegios pod\u00eda activar la descarga de un archivo en la m\u00e1quina de la v\u00edctima al visitar una p\u00e1gina incrust\u00e1ndolo en un elemento  sin interacci\u00f3n del usuario ni consentimiento expl\u00edcito. La versi\u00f3n 3.2.10 soluciona el problema."
    }
  ],
  "id": "CVE-2024-55889",
  "lastModified": "2024-12-13T21:15:13.483",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-13T14:15:22.653",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-451"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-55889

Vulnerability from cvelistv5

ghsa-m3r7-8gw7-qwvc

Vulnerability from github

Summary

Details

PoC

Impact

fkie_cve-2024-55889

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature