phpMyFAQ 1.4.0 allows remote attackers to access the Image Manager to upload or delete images without authorization via a direct request.
Threat-Mapped Scoring
Score: 0.0
Priority: Unclassified
EPSS
Score: 0.01328
Percentile:
0.79049
CVSS Scoring
CVSS v3.1 Score: 5.3
Severity: MEDIUM
Mapped CWE(s)
-
CWE-425
: Direct Request ('Forced Browsing')
All CAPEC(s)
-
CAPEC-127: Directory Indexing
-
CAPEC-143: Detect Unpublicized Web Pages
-
CAPEC-144: Detect Unpublicized Web Services
-
CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)
-
CAPEC-87: Forceful Browsing
CAPEC(s) with Mapped TTPs
-
CAPEC-127: Directory Indexing
Mapped TTPs:
-
T1083
: File and Directory Discovery
-
CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)
Mapped TTPs:
Mapped ATT&CK TTPs
-
T1083
: File and Directory Discovery
Kill Chain: discovery
-
T1565.002
: Transmitted Data Manipulation
Kill Chain: impact
Malware
APTs Threat Group Associations
Campaigns
- Operation Wocao
- SolarWinds Compromise
- Operation CuckooBees
- Operation Honeybee
- Operation Dream Job
- C0015
- Night Dragon
- KV Botnet Activity
Affected Products
- cpe:2.3:a:phpmyfaq:phpmyfaq:1.4.0:*:*:*:*:*:*:*
← Back to Home