Possible arbitrary PHP code execution vulnerability
- Issued on:
- phpMyFAQ <= 2.8.3
The phpMyFAQ Team has learned of a security issue that has been discovered in phpMyFAQ 2.8.x.
Secunia noticed while analysing the advisory that authenticated users with "Right to add attachments" are able to exploit an already publicly known issue in the bundled Ajax File Manager of phpMyFAQ version 2.8.3, which leads to arbitrary PHP code execution for authenticated users with the permission "Right to add attachments".
The phpMyFAQ Team has released a new phpMyFAQ version 2.8.4 which fixes thie vulnerability. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
There's no workaround except installing phpMyFAQ 2.8.3.
Please check this advisory for further information about the publicly known issue in the bundled Ajax File Manager.
The phpMyFAQ teams would like to thank Secunia for the responsible disclosure of this vulnerability.