Halas98

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions 4.0-nightly-2025-10-03 and below **Description** phpMyFAQ does not enforce uniqueness of email addresses during user registration, allowing multiple distinct accounts to be created with the same email. This can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover. Email is often used as an identifier for password resets, notifications, and administrative actions. The issue allows attackers to register multiple accounts under the same email address, potentially resulting in data integrity loss, password reset ambiguity, and privilege escalation. An attacker controlling the email may escalate privileges if one account with the same email has administrative privileges. **Recommendations** Update phpMyFAQ to version 4.0.13 or later.

**Name of the Vulnerable Software and Affected Versions** Froxlor versions prior to 2.2.6 **Description** Froxlor is open-source server administration software. A vulnerability allows users, such as resellers or customers, to create accounts with the same email address as an existing account, creating potential issues with account identification and security. This vulnerability can be exploited by authenticated users who can create accounts with the same email address that has already been used by another account, such as the admin. The attack vector is email-based, as the system does not prevent multiple accounts from registering the same email address, leading to possible conflicts and security issues. **Recommendations** For versions prior to 2.2.6, update to version 2.2.6 to fix the issue. As a temporary workaround, consider restricting account creation to prevent users from registering with an email address already in use by another account.