phpMyFAQ Email and Private Data Exposure Vulnerability

A vulnerability in phpMyFAQ versions through 4.0.16 allows multiple public API endpoints to improperly disclose sensitive user information due to inadequate access controls. The OpenQuestionController::list() endpoint, for instance, retrieves all questions by default, including those marked as non-public, along with user email addresses. Similar issues are present in the comment, news, and FAQ APIs. This information disclosure could facilitate phishing attacks by harvesting email addresses or accessing content designated as private.

Impact

This vulnerability leads to unauthorized exposure of email addresses and non-public content, increasing the risk of phishing attacks and data scraping.

Reproduction

The vulnerability can be reproduced by sending a request to the open-questions API endpoint without any authentication or access controls. This request will return invisible questions along with their associated email addresses.

Remediation

Users can upgrade to phpMyFAQ version 4.0.17 to address this vulnerability.