Miggo Logo
Miggo Vulnerability Database
CVE-2023-1883

CVE-2023-1883: thorsten/phpmyfaq vulnerable to improper access control

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-1883
GHSA ID
GHSA-2wjp-w7g7-h63q
EPSS Score
0.49805%
CWE
CWE-284
Published
4/5/2023
Updated
4/6/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
thorsten/phpmyfaqcomposer< 3.1.123.1.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stemmed from missing activation checks in ajaxservice.php's comment handling. The patch added a new isActive() check to the conditional, proving the pre-patch code lacked this critical access control. The Faq::commentDisabled() function's comparison operator change shows an additional security hardening that contributed to the overall fix, though wasn't the primary vulnerability vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

t*orst*n/p*pmy**q prior to *.*.** is vuln*r**l* to improp*r ****ss *ontrol w**n **Q N*ws is m*rk** *s in**tiv* in s*ttin*s *n* **v* *omm*nts *n**l**, *llowin* *omm*nts to ** post** on in**tiv* **Qs. T*is **s ***n *ix** in *.*.**.

Reasoning

T** *or* vuln*r**ility st*mm** *rom missin* **tiv*tion ****ks in `*j*xs*rvi**.p*p`'s *omm*nt **n*lin*. T** p*t** ***** * n*w `is**tiv*()` ****k to t** *on*ition*l, provin* t** pr*-p*t** *o** l**k** t*is *riti**l ****ss *ontrol. T** `**q::*omm*nt*is**