php · thorsten/phpmyfaqHeads-up
phpMyFAQ: Missing authorization checks in four public API write endpoints
Four public API write endpoints (CategoryController.
What changed
Four public API write endpoints (CategoryController.create, FaqController.create, FaqController.update, QuestionController.create) are missing authorization checks. They only call hasValidToken() but do not call userHasPermission(), allowing any API token holder to perform admin operations.
Who it affects
All installations of phpMyFAQ using the public API (v4.0) with API token authentication.
What to do today
Apply the missing userHasPermission() calls to the four endpoints as described in the advisory.
The trail
Collected→
Audited→
Written→
Published