CVE-2024-55889
Published: 13 December 2024
Summary
CVE-2024-55889 is a medium-severity User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 4.9 (Medium).
Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
phpMyFAQ is an open source FAQ web application that contains a vulnerability in its FAQ Record component prior to version 3.2.10. The flaw permits a privileged attacker to force an unintended file download on a visiting user's system by embedding a crafted reference inside an <iframe> element, which triggers automatically without user interaction or consent. The issue is tracked as CWE-451 and carries a CVSS 3.1 score of 4.9 reflecting network attack vector, low complexity, high privileges required, and high integrity impact with no confidentiality or availability effects.
An authenticated administrator or other high-privileged user can exploit the weakness by placing the iframe in content that a victim will view, resulting in the browser initiating a file download on the victim's machine. Because the vector requires no user interaction and works across the network, the attacker can achieve unauthorized modification of the victim's local environment through forced downloads.
The project addressed the issue in release 3.2.10. The accompanying GitHub Security Advisory GHSA-m3r7-8gw7-qwvc and the referenced commit fa0f7368dc3288eedb1915def64ef8fb270f711d document the fix and recommend that administrators upgrade promptly to eliminate the iframe-based download behavior.
EPSS for the CVE remains at 0.0919 with no material increase from its initial value, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3486
Vulnerability details
phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in…
more
an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.