CVE-2025-69200: CWE-202: Exposure of Sensitive Information Through Data Queries in thorsten phpMyFAQ
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue.
CVE-2025-69200: CWE-202: Exposure of Sensitive Information Through Data Queries in thorsten phpMyFAQ
Description
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-29T14:37:07.300Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6952a23a71a94549f144cb10
Added to database: 12/29/2025, 3:46:02 PM
Last updated: 12/29/2025, 6:45:33 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14280: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in pixelyoursite PixelYourSite – Your smart PIXEL (TAG) & API Manager
MediumCVE-2025-13592: CWE-94 Improper Control of Generation of Code ('Code Injection') in monetizemore Advanced Ads – Ad Manager & AdSense
HighCVE-2025-67255: n/a
UnknownCVE-2025-67254: n/a
UnknownCVE-2025-15199: Unrestricted Upload in code-projects College Notes Uploading System
MediumActions
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.