Cyberhunter127

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.3 **Description** An Insecure Direct Object Reference (IDOR) exists in the Admin API, which allows authenticated administrators to change the password of any user account, including SuperAdmin accounts, without proper authorization verification. An attacker with low-privilege admin credentials can escalate privileges to full SuperAdmin control by modifying the `userId` parameter in the request body. The issue occurs within the `overwritePassword()` function located in the `/admin/api/user/overwrite-password` endpoint, as the system fails to verify if the requesting administrator has the permission to modify the target user or if the target user has equal or lower privilege levels. **Recommendations** Update to version 4.1.3 or later. As a temporary workaround, restrict access to the `/admin/api/user/overwrite-password` endpoint to only the highest privilege levels.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 4.1.3 **Description** An authentication bypass exists in the password reset mechanism that allows unauthenticated attackers to reset any user account password, including SuperAdmin accounts. By sending a PUT request to the "/api/user/password/update" endpoint with a valid `username` and associated `email`, an attacker can trigger a password reset without token verification, rate limiting, or email confirmation. The system then sends a new plaintext password via email, enabling complete account takeover and full administrative access. The issue is located in the `updatePassword()` function within the `UnauthorizedUserController.php` file. Attackers can also use this endpoint to enumerate valid usernames by analyzing the error responses when providing incorrect email addresses. **Recommendations** Update to version 4.1.3 or later. As a temporary workaround, restrict access to the "/api/user/password/update" endpoint to minimize the risk of exploitation.