{"uuid": "c3d40782-5a0f-4a91-9578-3ad2e62416e3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-XVP4-PHQJ-CJR3", "type": "seen", "source": "https://gist.github.com/alon710/cb972f8f962d8bc96860b04de0a95070", "content": "# GHSA-XVP4-PHQJ-CJR3: GHSA-XVP4-PHQJ-CJR3: Insecure Direct Object Reference (IDOR) Leading to Account Takeover in phpMyFAQ\n\n> **CVSS Score:** 8.8\n> **Published:** 2026-05-20\n> **Full Report:** https://cvereports.com/reports/GHSA-XVP4-PHQJ-CJR3\n\n## Summary\nphpMyFAQ versions prior to 4.1.3 contain a critical Insecure Direct Object Reference (IDOR) vulnerability within the administration API. An authenticated attacker with basic user-edit privileges can exploit this flaw to overwrite the password of any higher-privileged user, including the SuperAdmin account. This leads to complete application compromise.\n\n## TL;DR\nAn IDOR vulnerability in phpMyFAQ < 4.1.3 allows authenticated low-privileged administrators to purposefully reset the SuperAdmin password, resulting in total privilege escalation and account takeover.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CVE ID**: GHSA-xvp4-phqj-cjr3\n- **CVSS Score**: 8.8\n- **Attack Vector**: Network\n- **Authentication Required**: Low Privilege (USER_EDIT)\n- **CWE ID**: CWE-639, CWE-285\n- **Impact**: Complete Account Takeover\n- **Exploit Status**: PoC Available\n\n## Affected Systems\n\n- phpMyFAQ (< 4.1.3)\n- **phpmyfaq/phpmyfaq**: < 4.1.3 (Fixed in: `4.1.3`)\n\n## Mitigation\n\n- Upgrade phpMyFAQ to version 4.1.3 or later.\n- Implement WAF rules to restrict PUT requests to the vulnerable API endpoint.\n- Audit administrative accounts to ensure minimal distribution of the USER_EDIT permission.\n- Enable verbose auditing for administrative actions, specifically monitoring the USER_CHANGE_PASSWORD event.\n\n**Remediation Steps:**\n1. Back up the current phpMyFAQ database and file system.\n2. Download the latest stable release (>= 4.1.3) from the official repository or via Composer.\n3. Deploy the updated application files over the existing installation.\n4. Run the phpMyFAQ update script to apply any necessary database migrations.\n5. Verify the integrity of all administrative accounts and reset the password of the SuperAdmin account as a precaution.\n\n## References\n\n- [GitHub Advisory](https://github.com/advisories/GHSA-xvp4-phqj-cjr3)\n- [Official Repository](https://github.com/thorsten/phpMyFAQ)\n- [Vulnerability Listing](https://www.phpmyfaq.de/advisories/)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-XVP4-PHQJ-CJR3) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-20T19:40:50.000000Z"}