CVE-2024-54141: 
PHP vulnerability analysis and mitigation

phpMyFAQ, an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases, was found to expose database server credentials when connection to the database fails. This vulnerability affects versions prior to 4.0.0 and was discovered in January 2024 (GitHub Advisory).

The vulnerability exists in the database connection error handling where, upon a failed connection attempt, the application exposes sensitive database credentials in error messages. This occurs specifically when the database server is unreachable or misconfigured. The issue has been assigned CVE-2024-54141 with a CVSS v3.1 score of 8.6 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). The vulnerability is classified as CWE-209: Generation of Error Message Containing Sensitive Information (NVD).

If exploited, this vulnerability could allow attackers to obtain database credentials when the database connection fails. With these credentials, an attacker could potentially gain full control over the database, leading to unauthorized access to sensitive data and potential system compromise (GitHub Advisory).

The vulnerability has been fixed in phpMyFAQ version 4.0.0. Users are advised to upgrade to this version or later. The fix includes adding SensitiveParameter attributes for database usernames and passwords, and improving error handling to prevent credential exposure (GitHub Commit).