CVE-2020-23352

Name of the Vulnerable Software and Affected Versions Z-BlogPHP version 1.6.0 Valyria

Description The issue is related to incorrect access control in Z-BlogPHP. It is possible to bypass authentication using PHP loose comparison and a magic hash. The passwordvisit input password() function in zb user/plugin/passwordvisit/include.php uses loose comparison for authentication, which can be bypassed with magic hash values.

Recommendations For Z-BlogPHP version 1.6.0 Valyria, consider disabling the passwordvisit input password() function until a patch is available to prevent exploitation. Restrict access to the zb user/plugin/passwordvisit/include.php file to minimize the risk of unauthorized access. Avoid using loose comparison for authentication in the passwordvisit input password() function to prevent bypassing authentication via magic hash values.