CVE-2024-54141

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/thorsten/phpMyFAQ/commit/b9289a0b2233df864361c131cd177b6715fbb0fe	Patch
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-vrjr-p3xp-xx2x	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:phpmyfaq:phpmyfaq:4.0.0:alpha:*:*:*:*:*:*

History

15 Aug 2025, 18:44

Type	Values Removed	Values Added
First Time		Phpmyfaq phpmyfaq Phpmyfaq
CPE		cpe:2.3:a:phpmyfaq:phpmyfaq:4.0.0:alpha::::::
References	~~() https://github.com/thorsten/phpMyFAQ/commit/b9289a0b2233df864361c131cd177b6715fbb0fe -~~	() https://github.com/thorsten/phpMyFAQ/commit/b9289a0b2233df864361c131cd177b6715fbb0fe - Patch
References	~~() https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-vrjr-p3xp-xx2x -~~	() https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-vrjr-p3xp-xx2x - Exploit, Vendor Advisory
Summary		(es) phpMyFAQ es una aplicación web de preguntas frecuentes de código abierto para PHP 8.1+ y MySQL, PostgreSQL y otras bases de datos. Antes de la versión 4.0.0, phpMyFAQ exponía las credenciales del servidor de la base de datos (es decir, PostgreSQL) cuando fallaba la conexión a la base de datos. Esta vulnerabilidad se solucionó en la versión 4.0.0.

06 Dec 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-06 15:15

Updated : 2025-08-15 18:44

NVD link : CVE-2024-54141

Mitre link : CVE-2024-54141

CVE.ORG link : CVE-2024-54141

JSON object : View

Products Affected

phpmyfaq

phpmyfaq

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2024-54141", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-12-06T15:15:09.530", "references": [{"url": "https://github.com/thorsten/phpMyFAQ/commit/b9289a0b2233df864361c131cd177b6715fbb0fe", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-vrjr-p3xp-xx2x", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0."}, {"lang": "es", "value": "phpMyFAQ es una aplicaci\u00f3n web de preguntas frecuentes de c\u00f3digo abierto para PHP 8.1+ y MySQL, PostgreSQL y otras bases de datos. Antes de la versi\u00f3n 4.0.0, phpMyFAQ expon\u00eda las credenciales del servidor de la base de datos (es decir, PostgreSQL) cuando fallaba la conexi\u00f3n a la base de datos. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 4.0.0."}], "lastModified": "2025-08-15T18:44:17.560", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:phpmyfaq:phpmyfaq:4.0.0:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D5A7973-57B0-46D4-8ECE-E824386298D8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}