CurrentUser::setTokenData() in phpmyfaq/src/phpMyFAQ/User/CurrentUser.php at lines 515-534 builds a SQL UPDATE statement with sprintf and interpolates OAuth token fields (refresh_token, access_token, code_verifier, and json_encode($token['jwt'])) without calling $db->escape(). Sibling methods setAuthSource() and setRememberMe() in the same file do call $db->escape() on user-controlled values, so the omission is local to this method. An attacker (Bob) whose Azure AD display name contains a single quote (for example O'Brien, or a deliberate SQL payload) breaks out of the string literal and injects arbitrary SQL against the phpMyFAQ database.
Vulnerable code (phpmyfaq/src/phpMyFAQ/User/CurrentUser.php, lines 513-534):
public function setTokenData(#[\SensitiveParameter] array $token): bool
{
$update = sprintf(
"
UPDATE
%sfaquser
SET
refresh_token = '%s',
access_token = '%s',
code_verifier = '%s',
jwt = '%s'
WHERE
user_id = %d",
Database::getTablePrefix(),
$token['refresh_token'],
$token['access_token'],
$token['code_verifier'],
json_encode($token['jwt'], JSON_THROW_ON_ERROR),
$this->getUserId(),
);
return (bool) $this->configuration->getDb()->query($update);
}
json_encode() does NOT escape single quotes. A JWT claim such as {"preferred_username": "O'Malley"} produces {"preferred_username":"O'Malley"} after json_encode, which terminates the SQL string literal at the apostrophe.
Correct pattern in the same file (setAuthSource, line 458-461):
$update = sprintf(
"UPDATE %sfaquser SET auth_source = '%s' WHERE user_id = %d",
Database::getTablePrefix(),
$this->configuration->getDb()->escape($authSource),
$this->getUserId(),
);
setRememberMe() (line 471-478) follows the same safe pattern with...
4.1.24.1.2Exploitability
AV:NAC:HPR:NUI:RScope
S:UImpact
C:HI:HA:H7.5/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H