Weak Password Requirement in thorsten/phpmyfaq

Valid

Reported on

Oct 20th 2022

Description

We can change password with just 1 character when we use change password function.

Proof of Concept

When you change password, just press an charactor and then submit. Your password has been changed.

Impact

When users change password to a too simple password, attacker can easily guess user password and access account.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 3 months ago

Hoang Van Hiep modified the report

3 months ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 3 months ago

Thorsten Rinne validated this vulnerability 3 months ago

Hoang Van Hiep has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne gave praise 3 months ago

Here's the fix: https://github.com/thorsten/phpMyFAQ/commit/d7a87d2646287828c70401ca8976ef531fbc77ea

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Hoang Van Hiep

commented 3 months ago

Researcher

Can you assign cve?

We have sent a fix follow up to the thorsten/phpmyfaq team. We will try again in 7 days. 3 months ago

Thorsten Rinne

commented 3 months ago

Maintainer

@t1g3r0x never did that

Thorsten Rinne marked this as fixed in 3.1.8 with commit d7a87d 3 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

Thorsten Rinne published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 3 months ago

Hoang Van Hiep modified the report

3 months ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 3 months ago

Thorsten Rinne validated this vulnerability 3 months ago

Hoang Van Hiep has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne gave praise 3 months ago

Here's the fix: https://github.com/thorsten/phpMyFAQ/commit/d7a87d2646287828c70401ca8976ef531fbc77ea

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Hoang Van Hiep

commented 3 months ago

Researcher

Can you assign cve?

We have sent a fix follow up to the thorsten/phpmyfaq team. We will try again in 7 days. 3 months ago

Thorsten Rinne

commented 3 months ago

Maintainer

@t1g3r0x never did that

Thorsten Rinne marked this as fixed in 3.1.8 with commit d7a87d 3 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

Thorsten Rinne published this vulnerability 2 months ago

to join this conversation