Weak Password Requirement in thorsten/phpmyfaq

Valid

Reported on

Oct 20th 2022


Description

We can change password with just 1 character when we use change password function.

Proof of Concept

When you change password, just press an charactor and then submit. Your password has been changed.

Impact

When users change password to a too simple password, attacker can easily guess user password and access account.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 3 months ago
Hoang Van Hiep modified the report
3 months ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 3 months ago
Thorsten Rinne validated this vulnerability 3 months ago
Hoang Van Hiep has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne gave praise 3 months ago
Here's the fix: https://github.com/thorsten/phpMyFAQ/commit/d7a87d2646287828c70401ca8976ef531fbc77ea
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Hoang Van Hiep
3 months ago

Researcher


Can you assign cve?

We have sent a fix follow up to the thorsten/phpmyfaq team. We will try again in 7 days. 3 months ago
Thorsten Rinne
3 months ago

Maintainer


@t1g3r0x never did that

Thorsten Rinne marked this as fixed in 3.1.8 with commit d7a87d 3 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Thorsten Rinne published this vulnerability 2 months ago
to join this conversation