GHSA-99qv-g4x9-mgc3: phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query

The public /solution_id_{id}.html route calls Faq::getIdFromSolutionId() in phpmyfaq/src/phpMyFAQ/Faq.php:1312. That query joins faqdata with faqcategoryrelations solely by solution_id and returns the matching FAQ’s id, lang, thema (title), and category_id with no permission filter. An unauthenticated visitor hits the route with a sequential integer and the server 301-redirects to /content/<category>/<id>/<lang>/<title-slug>.html, leaking the FAQ’s existence, internal id, language, category binding, and title via the redirect’s Location header and the redirected page’s canonical link, share-to-social URLs, and hidden form fields. The related getFaqBySolutionId() at line 1221 contains an explicit fallback query (added “for tests”) that also bypasses the permission filter, widening the blast radius to any callsite that trusts its result.