Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq


Reported on

Dec 28th 2021


Hi there, there is a CSRF in your logout function. This will force admin to logout if he/she clicks on the link attacker gives him.

Proof of Concept

  1. Install phpmyfaq on your system.
  2. Login as admin
  3. Open this link /admin/index.php?action=logout
  4. See that you are logged out of phpmyfaq.


This vulnerability is capable of CSRF.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a year ago
Thorsten Rinne validated this vulnerability a year ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Thorsten Rinne submitted a
a year ago
Thorsten Rinne
a year ago


This is the fix for the 3.0 branch, will merge it later to main.

Thorsten Rinne
a year ago


Can you confirm the patch?

Thorsten Rinne marked this as fixed in 3.0.10 with commit 560239 a year ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation