Exploit Title: phpMyFAQ v3.1.12 - CSV Injection Application: phpMyFAQ Version: 3.1.12 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.phpmyfaq.de/ Software Link: https://download.phpmyfaq.de/phpMyFAQ-3.1.12.zip Date of found: 21.04.2023 Author: Mirabbas Aalarov Tested on: Windows 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to user control panel and change name as =calc|a!z| and save step 3. If admin Export users as CSV ,in The computer of admin occurs csv injection and will open calculator payload: calc|a!z| Poc video: https://youtu.be/lXwaexX-1uU
Copyright ©2023 Exploitalert.