The UI Performs the Wrong Action in pheditor/pheditor


Reported on

Oct 2nd 2021


With your new fix in, it is basically impossible to change the password now because you forgot to add in the CSRF token in the reset password functionality, hence the password cannot be changed from 'admin'.

Proof of Concept

Trying to reset the password gives:

Error: Invalid token. Please reload the page.


Users cannot change the default password in the new fix. Hence attackers can login into PHEditor via logging via 'admin' password.

We have contacted a member of the pheditor team and are waiting to hear back a year ago
Hamid Samak validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak confirmed that a fix has been merged on 957014 a year ago
Hamid Samak has been awarded the fix bounty
to join this conversation