A review of phpMyFAQ-main uncovered an authorization issue in the admin-api routes.
Several backend endpoints only check whether the caller is logged in. They do not verify that the caller actually has backend or administrative privileges. As a result, a normal frontend user can access API endpoints that are clearly intended for administrative use.
During local reproduction, a regular user account was able to request /admin/api/index.php/dashboard/versions and receive a successful response from the backend management API.
This issue does not appear to give direct write access in the affected paths that were confirmed, so it should be treated as a backend information disclosure and privilege boundary failure rather than full admin compromise.
The access control split is visible in the controller base class:
public function userIsAuthenticated(): void
{
if (!$this->currentUser->isLoggedIn()) {
throw new UnauthorizedHttpException('Unauthorized access.');
}
}
protected function userHasPermission(PermissionType $permissionType): void
{
// permission-based check
}
The problem is that several Administration\Api controllers use the weaker check even though the routes sit under the backend API namespace.
For example, phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/DashboardController.php exposes:
#[Route(path: 'dashboard/versions', name: 'admin.api.dashboard.versions', methods: ['GET'])]
public function versions(): JsonResponse
{
$this->userIsAuthenticated();
...
}
The same pattern appears in other backend-facing controllers, including:
LdapControllerElasticsearchControllerOpenSearchControllerUpdateControllerThat matters because these endpoints are not part of the normal frontend feature set. They expose backend operational data such as version checks, upgrade state, LDAP configuration, health checks, and search backend status.
Three examples that stand...
4.1.14.1.24.1.14.1.2Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:LI:NA:N4.3/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N