Weak Password Requirement in thorsten/phpmyfaq

Valid

Reported on

Oct 20th 2022


Description

We can change password with just 1 character when we use change password function.

Proof of Concept

When you change password, just press an charactor and then submit. Your password has been changed.

Impact

When users change password to a too simple password, attacker can easily guess user password and access account.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a month ago
Hoang Van Hiep modified the report
a month ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a month ago
Thorsten Rinne validated this vulnerability a month ago
Hoang Van Hiep has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne gave praise a month ago
Here's the fix: https://github.com/thorsten/phpMyFAQ/commit/d7a87d2646287828c70401ca8976ef531fbc77ea
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Hoang Van Hiep
a month ago

Researcher


Can you assign cve?

We have sent a fix follow up to the thorsten/phpmyfaq team. We will try again in 7 days. a month ago
Thorsten Rinne
a month ago

Maintainer


@t1g3r0x never did that

Thorsten Rinne marked this as fixed in 3.1.8 with commit d7a87d a month ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Thorsten Rinne published this vulnerability a month ago
to join this conversation