The vulnerability resides in phpMyFAQ’s CurrentUser::setTokenData function, where OAuth token claims are not properly escaped. A user who is authenticated can craft token fields containing SQL metacharacters, enabling them to break out of string literals and inject arbitrary SQL statements. This flaw allows attackers to read, modify, or delete data within the application’s database, potentially compromising confidentiality and integrity of stored information.

Affected systems include installations of thorsten’s phpMyFAQ product prior to version 4.1.2 that are configured to use Azure Active Directory for authentication. Users possessing Azure AD accounts whose display names or JWT claims contain SQL metacharacters can exploit this issue. The vulnerability is limited to systems that process OAuth tokens without proper input sanitization.

The CVSS score of 7.7 indicates a high severity risk. The exploit requires an authenticated Azure AD account and the ability to embed SQL metacharacters in token fields, which limits the attack surface but still poses significant danger if users with such accounts exist. EPSS score of < 1% indicates a very low probability of exploitation, and the flaw is not listed in the CISA KEV catalog, suggesting it is not currently a known exploited vulnerability. Nonetheless, the potential for arbitrary database access warrants immediate attention.