GHSA-9WJ2-4HCM-R74J

Vulnerability from github – Published: 2025-10-03 14:52 – Updated: 2025-10-13 15:10
VLAI?
Summary
phpMyFAQ duplicate email registration allows multiple accounts with the same email
Details

Summary

phpMyFAQ does not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover.

Details

An account management logic flaw in phpMyFAQ allows attackers to register multiple accounts under the same email address. If email is used for password reset or administrative flows, this may result in account takeover, loss of accountability, and abuse of business logic.

PoC

1.Register a user with email test@example.com 2.Register another user with the same email. 3.Both accounts appear in /admin/?action=user&user_action=listallusers. image

Impact

-Data integrity loss: Multiple accounts mapped to one email break auditability. -Password reset ambiguity: If reset flow relies on email only, attackers can target or take over accounts. -Privilege escalation: If one account with the same email has admin privileges, an attacker controlling the email may escalate. -Spam / DoS: Attackers can mass-register accounts with a single email to pollute the system.

This is a business logic / authentication vulnerability. Impacted users are anyone relying on phpMyFAQ’s account system where email is assumed to be unique.

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.7"
            },
            {
              "fixed": "4.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-286"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-03T14:52:33Z",
    "nvd_published_at": "2025-10-03T21:15:34Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nphpMyFAQ does not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover.\n\n### Details\nAn account management logic flaw in phpMyFAQ allows attackers to register multiple accounts under the same email address. If email is used for password reset or administrative flows, this may result in account takeover, loss of accountability, and abuse of business logic.\n### PoC\n\n1.Register  a user with email test@example.com\n2.Register another user with the same email.\n3.Both accounts appear in /admin/?action=user\u0026user_action=listallusers.\n\u003cimg width=\"1150\" height=\"628\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8c19f01a-e897-4ca7-b3f8-fcf83e6ff952\" /\u003e\n\n### Impact\n\n-Data integrity loss: Multiple accounts mapped to one email break auditability.\n-Password reset ambiguity: If reset flow relies on email only, attackers can target or take over accounts.\n-Privilege escalation: If one account with the same email has admin privileges, an attacker controlling the email may escalate.\n-Spam / DoS: Attackers can mass-register accounts with a single email to pollute the system.\n\nThis is a business logic / authentication vulnerability. Impacted users are anyone relying on phpMyFAQ\u2019s account system where email is assumed to be unique.",
  "id": "GHSA-9wj2-4hcm-r74j",
  "modified": "2025-10-13T15:10:22Z",
  "published": "2025-10-03T14:52:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9wj2-4hcm-r74j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59943"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/commit/44cd20f86eb041f39d1c30a9beefad1cc61dc0ec"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ duplicate email registration allows multiple accounts with the same email"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.