CVE-2023-2429 – thorsten/phpmyfaq

Package

Manager: composer
Name: thorsten/phpmyfaq
Vulnerable Version: >=0 <3.1.13

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00208 pctl0.43304

Details

phpMyFAQ Improper Access Control vulnerability phpMyFAQ prior to version 3.1.13 does not properly validate email addresses when updating user profiles. This vulnerability allows an attacker to manipulate their email address and change it to another email address that is already registered in the system, including email addresses belonging to other users such as the administrator. Once the attacker has control of the other user's email address, they can request to remove the user from the system, leading to a loss of data and access.

Metadata

Created: 2023-04-30T03:30:26Z
Modified: 2025-01-30T18:55:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-r69v-q48g-3966/GHSA-r69v-q48g-3966.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-r69v-q48g-3966
Finding: F039
Auto approve: 1