{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-55889", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-12-12T15:00:38.902Z", "datePublished": "2024-12-13T13:44:57.630Z", "dateUpdated": "2024-12-13T20:42:24.897Z"}, "containers": {"cna": {"title": "phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames", "problemTypes": [{"descriptions": [{"cweId": "CWE-451", "lang": "en", "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc"}, {"name": "https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d", "tags": ["x_refsource_MISC"], "url": "https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d"}], "affected": [{"vendor": "thorsten", "product": "phpMyFAQ", "versions": [{"version": "< 3.2.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-13T13:44:57.630Z"}, "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue."}], "source": {"advisory": "GHSA-m3r7-8gw7-qwvc", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-13T20:42:00.544690Z", "id": "CVE-2024-55889", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-13T20:42:24.897Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-55889", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-13T20:42:00.544690Z"}}}], "references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-13T20:42:18.023Z"}}], "cna": {"title": "phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames", "source": {"advisory": "GHSA-m3r7-8gw7-qwvc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "thorsten", "product": "phpMyFAQ", "versions": [{"status": "affected", "version": "< 3.2.10"}]}], "references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc", "name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d", "name": "https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-13T13:44:57.630Z"}}}, "cveMetadata": {"cveId": "CVE-2024-55889", "state": "PUBLISHED", "dateUpdated": "2024-12-13T20:42:24.897Z", "dateReserved": "2024-12-12T15:00:38.902Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-12-13T13:44:57.630Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*", "matchCriteriaId": "17583C51-6485-4F89-BCE0-538A0F2793B0", "versionEndExcluding": "3.2.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue."}, {"lang": "es", "value": "phpMyFAQ es una aplicaci\u00f3n web de c\u00f3digo abierto para preguntas frecuentes. Antes de la versi\u00f3n 3.2.10, exist\u00eda una vulnerabilidad en el componente de registro de preguntas frecuentes por la que un atacante con privilegios pod\u00eda activar la descarga de un archivo en la m\u00e1quina de la v\u00edctima al visitar una p\u00e1gina incrust\u00e1ndolo en un elemento sin interacci\u00f3n del usuario ni consentimiento expl\u00edcito. La versi\u00f3n 3.2.10 soluciona el problema."}], "id": "CVE-2024-55889", "lastModified": "2025-08-14T18:56:50.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-12-13T14:15:22.653", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-07-12T22:44:54.148204+00:00", "updated": "2025-07-12T22:44:54.148258+00:00", "vendors": ["thorsten", "thorsten$PRODUCT$phpmyfaq"]}