Login Sign Up

CVE-2024-28107

8.8 HIGH
Remote Code Execution SQL Injection

📋 TL;DR

A SQL injection vulnerability in phpMyFAQ allows authenticated users with FAQ news editing permissions to execute arbitrary SQL commands. This can lead to data exfiltration, account takeover, and potentially remote code execution. All phpMyFAQ installations below version 3.2.6 are affected.

💻 Affected Systems

Products:
  • phpMyFAQ
Versions: All versions before 3.2.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with FAQ news editing permissions. PHP 8.1+ and MySQL/PostgreSQL databases are typical configurations.

📦 What is this software?

Phpmyfaq by Phpmyfaq

View all CVEs affecting Phpmyfaq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers achieve remote code execution, compromise the entire database, and take over the server hosting phpMyFAQ.

🟠

Likely Case

Attackers exfiltrate sensitive data including user credentials, modify FAQ content, and escalate privileges.

🟢

If Mitigated

Attackers can only access data within their permission scope, limited by proper input validation and database permissions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but SQL injection is straightforward once authenticated with appropriate permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.6

Vendor Advisory: https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-2grw-mc9r-822r

Restart Required: No

Instructions:

1. Backup your phpMyFAQ installation and database. 2. Download phpMyFAQ 3.2.6 or newer from the official repository. 3. Replace the existing installation files with the patched version. 4. Verify the update was successful by checking the version in the admin panel.

🔧 Temporary Workarounds

Restrict User Permissions

all

Temporarily remove FAQ news editing permissions from non-essential users until patching is complete.

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns in email parameter inputs.

🧯 If You Can't Patch

  • Implement strict input validation for email fields using allow-lists for characters
  • Apply principle of least privilege to database user accounts used by phpMyFAQ

🔍 How to Verify

Check if Vulnerable:

Check phpMyFAQ version in admin panel or by examining the source code. Versions below 3.2.6 are vulnerable.

Check Version:

Check the version.php file or admin dashboard for version information.

Verify Fix Applied:

Confirm version is 3.2.6 or higher in admin panel and verify the commit d0fae62a72615d809e6710861c1a7f67ac893007 is present.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by FAQ news editing activity
  • Suspicious email parameter values in web server logs

Network Indicators:

  • Unusual database connections from web server
  • Large data transfers from database to unexpected destinations

SIEM Query:

source="web_server" AND (email LIKE "%'%" OR email LIKE "%--%" OR email LIKE "%;%") AND uri="/admin/index.php?action=saveentry"

📊 Metadata

CVE ID: CVE-2024-28107
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 25, 2024
Last Updated: January 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28107, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)