phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14.

Basic Information

ID CVE-2025-62519

Source GitHub_M

Published Nov 17, 2025 at 16:48

Modified Nov 17, 2025 at 16:59

Affected Product

Vendor thorsten

Product phpMyFAQ

Version < 4.0.14

Affected Versions thorsten phpMyFAQ < 4.0.14

CWE Classification

CWE-89

References

{
    "lastseen": "",
    "description": "phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14.",
    "published": "2025-11-17T16:48:49.678Z",
    "modified": "2025-11-17T16:59:09.772Z",
    "type": "cve",
    "title": "phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality",
    "source": "GitHub_M",
    "references": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-fxm2-cmwj-qvx4\nhttps://github.com/thorsten/phpMyFAQ/compare/4.0.13...4.0.14",
    "id": "CVE-2025-62519",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "thorsten phpMyFAQ < 4.0.14",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "phpMyFAQ",
    "version": "< 4.0.14",
    "vendor": "thorsten",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality_CVE-2025-62519