CVE-2024-55889

by Fred · 13/12/2024

phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim’s machine upon page visit by embedding it in an element without user interaction or explicit consent. Version 3.2.10 fixes the issue.</p> <p>More information : <a href="https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d">https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d</a></p> <div class="sharedaddy sd-sharing-enabled"><div class="robots-nocontent sd-block sd-social sd-social-icon sd-sharing"><h3 class="sd-title">Share this:</h3><div class="sd-content"><ul><li class="share-x"><a rel="nofollow noopener noreferrer" data-shared="sharing-x-663416" class="share-x sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-55889/?share=x" target="_blank" aria-labelledby="sharing-x-663416" > <span id="sharing-x-663416" hidden>Click to share on X (Opens in new window)</span> <span>X</span> </a></li><li class="share-bluesky"><a rel="nofollow noopener noreferrer" data-shared="sharing-bluesky-663416" class="share-bluesky sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-55889/?share=bluesky" target="_blank" aria-labelledby="sharing-bluesky-663416" > <span id="sharing-bluesky-663416" hidden>Click to share on Bluesky (Opens in new window)</span> <span>Bluesky</span> </a></li><li class="share-facebook"><a rel="nofollow noopener noreferrer" data-shared="sharing-facebook-663416" class="share-facebook sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-55889/?share=facebook" target="_blank" aria-labelledby="sharing-facebook-663416" > <span id="sharing-facebook-663416" hidden>Click to share on Facebook (Opens in new window)</span> <span>Facebook</span> </a></li><li class="share-linkedin"><a rel="nofollow noopener noreferrer" data-shared="sharing-linkedin-663416" class="share-linkedin sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-55889/?share=linkedin" target="_blank" aria-labelledby="sharing-linkedin-663416" > <span id="sharing-linkedin-663416" hidden>Click to share on LinkedIn (Opens in new window)</span> <span>LinkedIn</span> </a></li><li class="share-threads"><a rel="nofollow noopener noreferrer" data-shared="sharing-threads-663416" class="share-threads sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-55889/?share=threads" target="_blank" aria-labelledby="sharing-threads-663416" > <span id="sharing-threads-663416" hidden>Click to share on Threads (Opens in new window)</span> <span>Threads</span> </a></li><li class="share-mastodon"><a rel="nofollow noopener noreferrer" data-shared="sharing-mastodon-663416" class="share-mastodon sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-55889/?share=mastodon" target="_blank" aria-labelledby="sharing-mastodon-663416" > <span id="sharing-mastodon-663416" hidden>Click to share on Mastodon (Opens in new window)</span> <span>Mastodon</span> </a></li><li class="share-end"></li></ul></div></div></div> <div id='jp-relatedposts' class='jp-relatedposts' > <h3 class="jp-relatedposts-headline"><em>Similar</em></h3> </div> <nav class="pagination group"> </nav> </div> <div class="clear"></div> </div> </div> </article> <div class="clear"></div> <p class="post-tags"><span>Tags:</span> <a href="https://security.nuyts.tech/tag/cybersecurity-alert/" rel="tag">Cybersecurity Alert</a></p> <section id="comments" class="themeform">  </section> </div> </main> <div class="sidebar s1 collapsed" data-position="left" data-layout="col-2cr" data-sb-id="s1"> <button class="sidebar-toggle" title="Expand Sidebar"><i class="fas sidebar-toggle-arrows"></i></button> <div class="sidebar-content"> <ul class="post-nav group"> <li class="next"><strong>Next story </strong><a href="https://security.nuyts.tech/cve-2024-24902/" rel="next"><i class="fas fa-chevron-right"></i><span>CVE-2024-24902</span></a></li> <li class="previous"><strong>Previous story </strong><a href="https://security.nuyts.tech/cve-2024-9608/" rel="prev"><i class="fas fa-chevron-left"></i><span>CVE-2024-9608</span></a></li> </ul> <div id="search-4" class="widget widget_search"><form role="search" method="get" class="search-form" action="https://security.nuyts.tech/"> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="Search …" value="" name="s" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></div> <div id="recent-posts-2" class="widget widget_recent_entries"> <h3 class="widget-title">Recent Posts</h3> <ul> <li> <a href="https://security.nuyts.tech/cve-2025-12180/">CVE-2025-12180</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-12090/">CVE-2025-12090</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-12038/">CVE-2025-12038</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11983/">CVE-2025-11983</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11740/">CVE-2025-11740</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11502/">CVE-2025-11502</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-5949/">CVE-2025-5949</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-12118/">CVE-2025-12118</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11995/">CVE-2025-11995</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11927/">CVE-2025-11927</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11377/">CVE-2025-11377</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-12367/">CVE-2025-12367</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11928/">CVE-2025-11928</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11833/">CVE-2025-11833</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-62275/">CVE-2025-62275</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11922/">CVE-2025-11922</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11920/">CVE-2025-11920</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11816/">CVE-2025-11816</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11174/">CVE-2025-11174</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-62276/">CVE-2025-62276</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-12464/">CVE-2025-12464</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-63563/">CVE-2025-63563</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-63562/">CVE-2025-63562</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-63561/">CVE-2025-63561</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-60711/">CVE-2025-60711</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-10693/">CVE-2025-10693</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-64349/">CVE-2025-64349</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-64348/">CVE-2025-64348</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-63458/">CVE-2025-63458</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-63454/">CVE-2025-63454</a> </li> </ul> </div><div id="categories-2" class="widget widget_categories"><h3 class="widget-title">Categories</h3> <ul> <li class="cat-item cat-item-13"><a href="https://security.nuyts.tech/category/critical-cyberalert/">Critical cyberalert</a> </li> <li class="cat-item cat-item-2"><a href="https://security.nuyts.tech/category/vulnerabilities/">Vulnerabilities</a> </li> </ul> </div><div id="tag_cloud-2" class="widget widget_tag_cloud"><h3 class="widget-title">Tags</h3><div class="tagcloud"><a href="https://security.nuyts.tech/tag/cisa/" class="tag-cloud-link tag-link-18 tag-link-position-1" style="font-size: 8pt;" aria-label="CISA (1 item)">CISA</a> <a href="https://security.nuyts.tech/tag/cybersecurity-alert/" class="tag-cloud-link tag-link-3 tag-link-position-2" style="font-size: 22pt;" aria-label="Cybersecurity Alert (289,935 items)">Cybersecurity Alert</a> <a href="https://security.nuyts.tech/tag/shields-up/" class="tag-cloud-link tag-link-14 tag-link-position-3" style="font-size: 8pt;" aria-label="Shields Up (1 item)">Shields Up</a></div> </div> </div> </div> </div> </div> </div> </div> <footer id="footer"> <section class="container" id="footer-bottom"> <div class="container-inner"> <a id="back-to-top" href="#"><i class="fas fa-angle-up"></i></a> <div class="hu-pad group"> <div class="grid one-half"> <div id="copyright"> <p>© 1999-2025 <a href="https://www.nuyts.tech">NUYTSTECH</a>. All Rights Reserved. Use of the CVE (Common Vulnerabilities and Exposures) from this non-profit website are subject to the terms of use.</p> </div> </div> <div class="grid one-half last"> <ul class="social-links"><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Twitter-square" aria-label="Follow us on Twitter-square" href="https://twitter.com/NUYTSTECH" target="_blank" ><i class="fab fa-twitter-square"></i></a></li><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Facebook" aria-label="Follow us on Facebook" href="https://www.facebook.com/nuytstech" target="_blank" ><i class="fab fa-facebook-square"></i></a></li><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Instagram" aria-label="Follow us on Instagram" href="https://www.instagram.com/nuyts.tech/" target="_blank" ><i class="fab fa-instagram"></i></a></li><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Tumblr" aria-label="Follow us on Tumblr" href="https://nuytstech.tumblr.com/" target="_blank" ><i class="fab fa-tumblr-square"></i></a></li></ul> </div> </div> </div> </section> </footer> </div> <script type="speculationrules"> {"prefetch":[{"source":"document","where":{"and":[{"href_matches":"\/*"},{"not":{"href_matches":["\/wp-*.php","\/wp-admin\/*","\/wp-content\/uploads\/*","\/wp-content\/*","\/wp-content\/plugins\/*","\/wp-content\/themes\/hueman\/*","\/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]} </script>  <script async src="https://www.googletagmanager.com/gtag/js?id=G-BDBTK0NYFL"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-BDBTK0NYFL'); </script>  <script>  <script type="text/javascript"> window.WPCOM_sharing_counts = {"https:\/\/security.nuyts.tech\/cve-2024-55889\/":663416}; </script> <script id="cookie-notice-front-js-before"> var cnArgs = {"ajaxUrl":"https:\/\/security.nuyts.tech\/wp-admin\/admin-ajax.php","nonce":"d1c9434252","hideEffect":"fade","position":"bottom","onScroll":false,"onScrollOffset":100,"onClick":false,"cookieName":"cookie_notice_accepted","cookieTime":2592000,"cookieTimeRejected":2592000,"globalCookie":false,"redirection":false,"cache":true,"revokeCookies":false,"revokeCookiesOpt":"automatic"}; </script> <script src="https://security.nuyts.tech/wp-content/plugins/cookie-notice/js/front.min.js?ver=2.5.8" id="cookie-notice-front-js"></script> <script src="https://c0.wp.com/c/6.8.3/wp-includes/js/underscore.min.js" id="underscore-js"></script> <script id="hu-front-scripts-js-extra"> var HUParams = {"_disabled":[],"SmoothScroll":{"Enabled":false,"Options":{"touchpadSupport":false}},"centerAllImg":"1","timerOnScrollAllBrowsers":"1","extLinksStyle":"","extLinksTargetExt":"","extLinksSkipSelectors":{"classes":["btn","button"],"ids":[]},"imgSmartLoadEnabled":"","imgSmartLoadOpts":{"parentSelectors":[".container .content",".post-row",".container .sidebar","#footer","#header-widgets"],"opts":{"excludeImg":[".tc-holder-img"],"fadeIn_options":100,"threshold":0}},"goldenRatio":"1.618","gridGoldenRatioLimit":"350","sbStickyUserSettings":{"desktop":false,"mobile":false},"sidebarOneWidth":"340","sidebarTwoWidth":"260","isWPMobile":"","menuStickyUserSettings":{"desktop":"stick_up","mobile":"stick_up"},"mobileSubmenuExpandOnClick":"1","submenuTogglerIcon":"<i class=\"fas fa-angle-down\"><\/i>","isDevMode":"","ajaxUrl":"https:\/\/security.nuyts.tech\/?huajax=1","frontNonce":{"id":"HuFrontNonce","handle":"ee47b683e2"},"isWelcomeNoteOn":"","welcomeContent":"","i18n":{"collapsibleExpand":"Expand","collapsibleCollapse":"Collapse"},"deferFontAwesome":"","fontAwesomeUrl":"https:\/\/security.nuyts.tech\/wp-content\/themes\/hueman\/assets\/front\/css\/font-awesome.min.css?3.7.27","mainScriptUrl":"https:\/\/security.nuyts.tech\/wp-content\/themes\/hueman\/assets\/front\/js\/scripts.min.js?3.7.27","flexSliderNeeded":"","flexSliderOptions":{"is_rtl":false,"has_touch_support":true,"is_slideshow":false,"slideshow_speed":5000},"fitTextMap":{"single_post_title":{"selectors":".single h1.entry-title","minEm":1.375,"maxEm":2.62},"page_title":{"selectors":".page-title h1","minEm":1,"maxEm":1.3},"home_page_title":{"selectors":".home .page-title","minEm":1,"maxEm":1.2,"compression":2.5},"post_titles":{"selectors":".blog .post-title, .archive .post-title","minEm":1.375,"maxEm":1.475},"featured_post_titles":{"selectors":".featured .post-title","minEm":1.375,"maxEm":2.125},"comments":{"selectors":".commentlist li","minEm":0.8125,"maxEm":0.93,"compression":2.5},"entry":{"selectors":".entry","minEm":0.9375,"maxEm":1.125,"compression":2.5},"content_h1":{"selectors":".entry h1, .woocommerce div.product h1.product_title","minEm":1.7578125,"maxEm":2.671875},"content_h2":{"selectors":".entry h2","minEm":1.5234375,"maxEm":2.390625},"content_h3":{"selectors":".entry h3","minEm":1.40625,"maxEm":1.96875},"content_h4":{"selectors":".entry h4","minEm":1.2890625,"maxEm":1.6875},"content_h5":{"selectors":".entry h5","minEm":1.0546875,"maxEm":1.40625},"content_h6":{"selectors":".entry h6","minEm":0.9375,"maxEm":1.265625,"compression":2.5}},"userFontSize":"16","fitTextCompression":"1.5"}; </script> <script src="https://security.nuyts.tech/wp-content/themes/hueman/assets/front/js/scripts.min.js?ver=3.7.27" id="hu-front-scripts-js" defer></script> <script id="jetpack-stats-js-before"> _stq = window._stq || []; _stq.push([ "view", JSON.parse("{\"v\":\"ext\",\"blog\":\"197793834\",\"post\":\"663416\",\"tz\":\"1\",\"srv\":\"security.nuyts.tech\",\"j\":\"1:15.2\"}") ]); _stq.push([ "clickTrackerInit", "197793834", "663416" ]); </script> <script src="https://stats.wp.com/e-202545.js" id="jetpack-stats-js" defer data-wp-strategy="defer"></script> <script id="sharing-js-js-extra"> var sharing_js_options = {"lang":"en","counts":"1","is_stats_active":"1"}; </script> <script src="https://c0.wp.com/p/jetpack/15.2/_inc/build/sharedaddy/sharing.min.js" id="sharing-js-js"></script> <script id="sharing-js-js-after"> var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-x' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-x' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomx', 'menubar=1,resizable=1,width=600,height=350' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-bluesky' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-bluesky' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcombluesky', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-facebook' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-facebook' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomfacebook', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-linkedin' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-linkedin' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomlinkedin', 'menubar=1,resizable=1,width=580,height=450' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-threads' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-threads' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomthreads', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-mastodon' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-mastodon' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcommastodon', 'menubar=1,resizable=1,width=460,height=400' ); return false; } } ); } )(); </script>   <div id="cookie-notice" role="dialog" class="cookie-notice-hidden cookie-revoke-hidden cn-position-bottom" aria-label="Cookie Notice" style="background-color: rgba(50,50,58,1);"><div class="cookie-notice-container" style="color: #fff"><span id="cn-notice-text" class="cn-text-container">We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.</span><span id="cn-notice-buttons" class="cn-buttons-container"><button id="cn-accept-cookie" data-cookie-set="accept" class="cn-set-cookie cn-button" aria-label="Ok" style="background-color: #00a99d">Ok</button><button data-link-url="https://security.nuyts.tech/terms-of-use/privacy-policy/" data-link-target="_blank" id="cn-more-info" class="cn-more-info cn-button" aria-label="Privacy policy" style="background-color: #00a99d">Privacy policy</button></span><button id="cn-close-notice" data-cookie-set="accept" class="cn-close-icon" aria-label="No"></button></div> </div> </body> </html>