The UI Performs the Wrong Action in pheditor/pheditor


Reported on

Oct 2nd 2021


With your new fix in, it is basically impossible to change the password now because you forgot to add in the CSRF token in the reset password functionality, hence the password cannot be changed from 'admin'.

Proof of Concept

Trying to reset the password gives:

Error: Invalid token. Please reload the page.


Users cannot change the default password in the new fix. Hence attackers can login into PHEditor via logging via 'admin' password.

We have contacted a member of the pheditor team and are waiting to hear back 2 years ago
Hamid Samak validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak marked this as fixed with commit 957014 2 years ago
Hamid Samak has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation