4.0.14

Author: thorsten

content/news/2025.md

@@ -5,9 +5,14 @@ canonical: news/2025
 layout: news_md.hbs
 ---
 
-### 2025-10-12
+### 2025-11-15
 
----
+The phpMyFAQ Team would like to announce the availability of [phpMyFAQ 4.0.14](/download),
+the "Ace Frehley" release.
+This release fixes a security vulnerability, fixes the reported bugs, and we updated our third party dependencies.
+[Click here to find a detailed security advisory](/security/advisory-2025-11-15).
+
+### 2025-10-12
 
 After eleven years we finally re-built our website from scratch.
 The content is still the same, but the design is now modern and responsive.
@@ -16,8 +21,6 @@ We made heavy use of Anthropic's Claude Code to help us with the content migrati
 
 ### 2025-10-04
 
----
-
 We’re excited to announce the release of [phpMyFAQ 4.1.0-alpha.3](/download), the "Jane Goodall" release.
 This version introduces several new features and experimental improvements.
 You can now edit the llms.txt configuration file and benefit from full EU Data Act 2025 compliance.
@@ -27,45 +30,33 @@ updates via the command line, .env file configuration, and Mago.
 
 ### 2025-10-03
 
----
-
 The phpMyFAQ Team is pleased to announce [phpMyFAQ 4.0.13](/download), the "Claudia Cardinale" release.
 This release fixes a security vulnerability, fixes the reported bugs, and we updated our third party dependencies.
 [Click here to find a detailed security advisory](/security/advisory-2025-10-03).
 
 ### 2025-09-23
 
----
-
 The phpMyFAQ Team would like to announce the availability of [phpMyFAQ 4.0.12](/download),
 the "Robert Redford" release.
 This release fixes all reported bugs, and we updated our third party dependencies.
 
 ### 2025-09-13
 
----
-
 The phpMyFAQ Team is pleased to announce [phpMyFAQ 4.0.11](/download), the "Brent Hinds" release.
 This release re-adds the rewrite rules for ISS, fixes the reported bugs, and we updated our third party dependencies.
 
 ### 2025-08-02
 
----
-
 The phpMyFAQ Team would like to announce the availability of [phpMyFAQ 4.0.10](/download), the "Laura Dahlmeier" release.
 This release fixes all reported bugs, and we updated our third party dependencies.
 
 ### 2025-07-06
 
----
-
 The phpMyFAQ Team is pleased to announce [phpMyFAQ 4.0.9](/download), the "Brian Wilson" release.
 This release fixes a lot of reported bugs, and we updated our third party dependencies.
 
 ### 2025-06-01
 
----
-
 The phpMyFAQ Team would like to announce the availability of [phpMyFAQ 4.1.0-alpha.2](/download),
 the "Rick Derringer" release.
 The second alpha release of phpMyFAQ 4.1.0 changes the PHP requirement to PHP 8.3 or later,
@@ -78,29 +69,21 @@ We also migrated our unittests to PHPUnit 12.
 
 ### 2025-05-10
 
----
-
 The phpMyFAQ Team is pleased to announce [phpMyFAQ 4.0.8](/download), the "Val Kilmer" release.
 This release fixes a lot of reported bugs, and we updated third party dependencies.
 
 ### 2025-03-24
 
----
-
 The phpMyFAQ Team would like to announce the availability of [phpMyFAQ 4.0.7](/download), the "Eddie Jordan" release.
 This release fixes all reported bugs, and we updated our third party dependencies.
 
 ### 2025-02-23
 
----
-
 The phpMyFAQ Team is pleased to announce [phpMyFAQ 4.0.6](/download), the "Horst Köhler" release.
 This release updates the French translation, we fixed all reported bugs, and we updated third party dependencies.
 
 ### 2025-02-12
 
----
-
 We’re excited to announce the release of [phpMyFAQ 4.1.0-alpha](/download), the "Marianne Faithfull" release.
 This version introduces several important improvements for our 24th birthday.
 You can now edit the robots.txt configuration. The administration backend now uses Symfony Routing.
@@ -111,30 +94,22 @@ from Webpack to Vite v6 and from Jest to Vitest v3.
 
 ### 2025-01-19
 
----
-
 The phpMyFAQ Team would like to announce the availability of [phpMyFAQ 4.0.5](/download), the "David Lynch" release.
 This release updates the Hellenic translation, we fixed all reported bugs, and we updated third party dependencies.
 
 ### 2025-01-09
 
----
-
 The phpMyFAQ Team is pleased to announce [phpMyFAQ 4.0.4](/download), the "Robert Paul Wolff" release.
 This release improves the update from v3 installations,
 we updated third party dependencies, and we fixed all reported bugs.
 
 ### 2025-01-03
 
----
-
 The phpMyFAQ Team would like to announce the availability of [phpMyFAQ 4.0.3](/download), the "Teddy de Baer" release.
-This release fixes an installation issue, that was introduced in phpMyFAQ 4.0.2.
+This release fixes an installation issue that was introduced in phpMyFAQ 4.0.2.
 
 ### 2025-01-02
 
----
-
 Happy new year!
 
 The phpMyFAQ Team is pleased to announce [phpMyFAQ 4.0.2](/download), the "Jimmy Carter" release.

content/security/advisory-2025-11-15.md

@@ -0,0 +1,36 @@
+---
+title: Security Advisory 2025-11-15
+description: Authenticated SQL Injection in Configuration Update Functionality in phpMyFAQ
+canonical: security/advisory-2025-11-15
+layout: security.hbs
+---
+
+## Authenticated SQL Injection in Configuration Update Functionality in phpMyFAQ
+
+**Issued on::** 2025-11-15
+**Software::** phpMyFAQ <= 4.0.13
+**Risk::** High
+**Platforms::** all
+
+The phpMyFAQ Team has learned of a security issue that'd been discovered in phpMyFAQ 4.0.12 and
+earlier.
+
+## Description
+
+An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ (v4.0.13 and 
+prior) allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. 
+Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all 
+data, as well as potential remote code execution depending on the database configuration.
+
+## Solution
+
+The phpMyFAQ Team has released the new phpMyFAQ version 4.0.14, which fixes the vulnerability. All
+users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
+
+## Workaround
+
+There's no workaround except installing phpMyFAQ 4.0.14.
+
+## Thanks
+
+The phpMyFAQ team would like to thank Yihao Peng for the responsible disclosures of this vulnerability.

data/development.json

@@ -8,4 +8,4 @@
     "filesize": 13.63,
     "md5": "c3979f5c17c31baab624670e5dbc5189"
   }
-}
+}

data/stable.json

@@ -1,11 +1,11 @@
 {
-  "version": "4.0.13",
+  "version": "4.0.14",
   "zip": {
     "filesize": 18.11,
-    "md5": "a7f006835a7cb4c89884435195071375"
+    "md5": "1f2a8ee89355fecc2e3f4993a25bd9a8"
   },
   "targz": {
-    "filesize": 14.81,
-    "md5": "e98c42f890f070c2affb68a51c0b1987"
+    "filesize": 14.82,
+    "md5": "c374e1724624dce10de2dd886cf1d9ba"
   }
-}
+}

data/versions.json

@@ -1,8 +1,8 @@
 {
-  "stable": "4.0.13",
-  "stable_released": "2025-10-03",
+  "stable": "4.0.14",
+  "stable_released": "2025-11-15",
   "development": "4.1.0-alpha.3",
   "development_released": "2025-10-04",
-  "nightly": "nightly-2025-10-03",
-  "nightly_released": "2025-10-03"
-}
+  "nightly": "nightly-2025-11-14",
+  "nightly_released": "2025-11-14"
+}

package.json

@@ -29,39 +29,39 @@
     "@types/marked": "^5.0.2",
     "bootstrap": "^5.3.8",
     "gray-matter": "^4.0.3",
-    "marked": "^16.4.1",
+    "marked": "^16.4.2",
     "next": "15.5.4",
     "react": "^19.2.0",
     "react-dom": "^19.2.0",
-    "sass": "^1.93.2"
+    "sass": "^1.94.0"
   },
   "devDependencies": {
     "@commitlint/cli": "^20.1.0",
     "@commitlint/config-conventional": "^20.0.0",
     "@commitlint/types": "^20.0.0",
-    "@eslint/js": "^9.0.0",
+    "@eslint/js": "^9.39.1",
     "@next/eslint-plugin-next": "15.5.4",
     "@playwright/test": "^1.56.1",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.0",
     "@testing-library/user-event": "^14.6.1",
-    "@types/node": "^20.19.24",
-    "@types/react": "^19.2.2",
-    "@types/react-dom": "^19.2.2",
-    "@typescript-eslint/eslint-plugin": "^8.0.0",
-    "@typescript-eslint/parser": "^8.0.0",
-    "@vitejs/plugin-react": "^5.1.0",
+    "@types/node": "^20.19.25",
+    "@types/react": "^19.2.5",
+    "@types/react-dom": "^19.2.3",
+    "@typescript-eslint/eslint-plugin": "^8.46.4",
+    "@typescript-eslint/parser": "^8.46.4",
+    "@vitejs/plugin-react": "^5.1.1",
     "@vitest/coverage-v8": "3.2.4",
     "conventional-changelog-atom": "^5.0.0",
-    "eslint": "^9.0.0",
+    "eslint": "^9.39.1",
     "eslint-config-next": "15.5.4",
-    "eslint-config-prettier": "^9.1.0",
-    "globals": "^15.12.0",
+    "eslint-config-prettier": "^9.1.2",
+    "globals": "^15.15.0",
     "husky": "^9.1.7",
-    "jsdom": "^27.0.1",
+    "jsdom": "^27.2.0",
     "lint-staged": "^16.2.6",
     "postcss": "^8.5.6",
-    "prettier": "^3.3.3",
+    "prettier": "^3.6.2",
     "tailwindcss": "^3.4.18",
     "typescript": "^5.9.3",
     "vitest": "^3.2.4"