CVE-2023-2429

Name of the Vulnerable Software and Affected Versions thorsten/phpmyfaq versions prior to 3.1.13

Description The issue is related to improper access control in the thorsten/phpmyfaq GitHub repository. Specifically, phpMyFAQ does not properly validate email addresses when updating user profiles, allowing an attacker to manipulate their email address and change it to another email address that is already registered in the system. This includes email addresses belonging to other users, such as the administrator. Once the attacker has control of the other user's email address, they can request to remove the user from the system, leading to a loss of data and access.

Recommendations For versions prior to 3.1.13, update to version 3.1.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the user profile update functionality to minimize the risk of exploitation. Additionally, restrict the ability to remove users from the system to prevent data loss and access issues.