#VU71357 Weak password requirements in phpMyFAQ - CVE-2023-0307


Vulnerability identifier: #VU71357

Vulnerability risk: Medium

CVSSv4.0: 4.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-0307

CWE-ID: CWE-521

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
phpMyFAQ
Server applications / Other server solutions

Vendor: Thorsten Rinne

Description

The vulnerability allows a remote attacker to perform brute-force attack and guess the password.

The vulnerability exists due to weak password requirements. A remote user can perform a brute-force attack and guess users' passwords.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

phpMyFAQ: 2.5.2 - 3.1.9

External links
https://github.com/thorsten/phpmyfaq/commit/8beed2fca5b0b82c6ba866d0ffd286d0c1fbf596
https://huntr.dev/bounties/fac01e9f-e3e5-4985-94ad-59a76485f215

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in phpMyFAQ