CVE-2024-27299

Summary

CVE-2024-27299 is a new SQL injection vulnerability affecting phpMyFAQ, an open-source FAQ web application for PHP 8.1 and above. Authenticated users with rights to add or edit FAQ news can leverage this flaw, due to insufficient escaping of the email address in the "Add News" functionality. The vulnerability, located in the `authorEmail` field, can lead to data exfiltration, account takeover, and even remote code execution in some cases. This issue arises despite the use of PHP's `FILTER_VALIDATE_EMAIL` filter, which is not sufficient against SQL injection attacks. Affected users should upgrade to version 3.2.6 as soon as possible to mitigate the risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.