{"uuid": "98722885-5d45-436f-9447-4347fc8deafe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-9qv9-8xv6-5p35", "type": "seen", "source": "https://gist.github.com/alon710/1978cf3711bfca18edca91ae863c89b9", "content": "# GHSA-9QV9-8XV6-5P35: GHSA-9qv9-8xv6-5p35: Unauthenticated Password Reset and Enumeration Flaw in phpMyFAQ\n\n> **CVSS Score:** 7.0\n> **Published:** 2026-05-20\n> **Full Report:** https://cvereports.com/reports/GHSA-9QV9-8XV6-5P35\n\n## Summary\nphpMyFAQ versions 4.1.2 and prior contain a critical logic flaw in the REST API password recovery mechanism. The endpoint processes password resets in a single, unauthenticated step, allowing remote attackers to forcefully change database credentials for arbitrary accounts while facilitating user enumeration through observable response discrepancies.\n\n## TL;DR\nA weak password recovery mechanism in phpMyFAQ <= 4.1.2 allows unauthenticated attackers to force password resets for targeted users and enumerate valid accounts. The system immediately updates the database password upon receiving a matching username and email, bypassing standard token-based verification.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CVSS Score**: 7.0 (High)\n- **Attack Vector**: Network\n- **Privileges Required**: None\n- **User Interaction**: None\n- **CWE ID**: CWE-640, CWE-204\n- **Exploit Status**: Proof of Concept Available\n\n## Affected Systems\n\n- phpMyFAQ REST API\n- phpMyFAQ Frontend Controller\n- **phpMyFAQ**: <= 4.1.2 (Fixed in: `4.1.3`)\n\n## Mitigation\n\n- Upgrade phpMyFAQ to version 4.1.3 or later.\n- Implement strict rate limiting on unauthenticated REST API endpoints.\n- Deploy Web Application Firewall (WAF) rules to restrict access to the `/api/index.php/user/password/update` endpoint.\n\n**Remediation Steps:**\n1. Verify current phpMyFAQ installation version.\n2. Backup the phpMyFAQ database and file system.\n3. Download the official phpMyFAQ 4.1.3 release from the vendor repository.\n4. Apply the update following the official phpMyFAQ upgrade documentation.\n5. Verify the application REST API responses no longer exhibit differential behavior for invalid users.\n\n## References\n\n- [Official Advisory: phpMyFAQ Security Advisory 2026-05-14](https://www.phpmyfaq.de/security/advisory-2026-05-14/)\n- [GitHub Advisory: GHSA-9qv9-8xv6-5p35](https://github.com/advisories/GHSA-9qv9-8xv6-5p35)\n- [OSV Data: GHSA-9qv9-8xv6-5p35](https://osv.dev/vulnerability/GHSA-9qv9-8xv6-5p35)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-9QV9-8XV6-5P35) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-21T03:10:51.000000Z"}