CVE-2023-1883 — thorsten/phpmyfaq vulnerable to improper access control

Description

thorsten/phpmyfaq prior to 3.1.12 is vulnerable to improper access control when FAQ News is marked as inactive in settings and have comments enabled, allowing comments to be posted on inactive FAQs. This has been fixed in 3.1.12.

How to fix CVE-2023-1883

To remediate CVE-2023-1883, upgrade the affected package to a fixed version below.

—upgrade to 3.1.12 or later

Is CVE-2023-1883 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.1.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-1883
PATCHgithub.com/thorsten/phpMyFAQ
WEBgithub.com/thorsten/phpmyfaq/commit/db77df888178766987398597d4f153831c62a503
WEBhuntr.dev/bounties/2f1e417d-cf64-4cfb-954b-3a9cb2f38191