Information Disclosure in phpMyFAQ Web Application from Thorsten's Team
CVE-2025-69200
7.5HIGH
What is CVE-2025-69200?
phpMyFAQ, an open-source FAQ web application, is susceptible to a vulnerability that permits an unauthenticated remote attacker to invoke the generation of a configuration backup ZIP file via the endpoint /api/setup/backup. This ZIP file, accessible through a web link, contains sensitive configuration files, including database credentials stored in database.php. The exposure of these files can lead to significant information disclosure, enabling malicious entities to compromise the system further. The issue is rectified in version 4.0.16.
Affected Version(s)
phpMyFAQ < 4.0.16