The public /solution_id_{id}.html route calls Faq::getIdFromSolutionId() in phpmyfaq/src/phpMyFAQ/Faq.php:1312. That query joins faqdata with faqcategoryrelations solely by solution_id and returns the matching FAQ's id, lang, thema (title), and category_id with no permission filter. An unauthenticated visitor hits the route with a sequential integer and the server 301-redirects to /content/<category>/<id>/<lang>/<title-slug>.html, leaking the FAQ's existence, internal id, language, category binding, and title via the redirect's Location header and the redirected page's canonical link, share-to-social URLs, and hidden form fields. The related getFaqBySolutionId() at line 1221 contains an explicit fallback query (added "for tests") that also bypasses the permission filter, widening the blast radius to any callsite that trusts its result.
getIdFromSolutionId() has no permission filterphpmyfaq/src/phpMyFAQ/Faq.php:1312:
public function getIdFromSolutionId(int $solutionId): array
{
$query = sprintf(
'SELECT fd.id, fd.lang, fd.thema AS question, fd.content, fcr.category_id
FROM %sfaqdata fd
LEFT JOIN %sfaqcategoryrelations fcr
ON fd.id = fcr.record_id AND fd.lang = fcr.record_lang
WHERE fd.solution_id = %d',
Database::getTablePrefix(),
Database::getTablePrefix(),
$solutionId,
);
// ...
}
No WHERE-clause permission filter, no group/user filter. Every callsite that trusts this method exposes restricted FAQs. The route at phpmyfaq/src/phpMyFAQ/Controller/Frontend/FaqController.php:172 uses this result to compute a slugified URL and 301-redirects to it:
#[Route(path: '/solution_id_{solutionId}.html', name: 'public.faq.solution', methods: ['GET'])]
public function solution(Request $request): Response
{
$solutionId = Filter::filterVar($request->attributes->get('solutionId'), FILTER_VALIDATE_INT,...
4.1.24.1.2Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:HI:NA:N7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N