Weak password at demo website version 3.1.9 in thorsten/phpmyfaq

Valid

Reported on

Dec 23rd 2022


Description

The demo website is now version 3.1.9 but still affected of weak password requirement.

Proof of Concept

#1. Login to the demo website with any users.

#2. Use "Change password" function, set the new password is number 1.

#3. It's successful, try to re-login to check it.

Impact

Be able to guess the user's passwords and brute force attack to get user's passwords.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 5 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 5 months ago
Thorsten Rinne gave praise 5 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne validated this vulnerability 5 months ago
Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.10 with commit 8beed2 5 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jan 31st 2023
Chuu
5 months ago

Researcher


thank you so much, now I will wait for my CVE number.

Thorsten Rinne published this vulnerability 4 months ago
to join this conversation