{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/account-enumeration/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["phpMyFAQ \u003c 4.1.3"],"_cs_severities":["medium"],"_cs_tags":["phpMyFAQ","password-reset","account-enumeration"],"_cs_type":"advisory","_cs_vendors":["phpMyFAQ"],"content_html":"\u003cp\u003ephpMyFAQ versions prior to 4.1.3 are vulnerable to an unauthenticated password reset vulnerability. The vulnerability resides in the password reset API, which lacks proper authentication and authorization checks. An attacker can exploit this by sending a crafted request to the \u003ccode\u003e/api/index.php/user/password/update\u003c/code\u003e endpoint with a valid username and email combination. Upon receiving this request, the application immediately generates a new password, updates the user\u0026rsquo;s account, and sends the new password to the user\u0026rsquo;s email address. This bypasses the intended password reset flow, allowing attackers to forcibly change passwords without any out-of-band confirmation or token validation. This issue was confirmed in a local Docker deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a potential target username and email address.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a PUT request to \u003ccode\u003e/api/index.php/user/password/update\u003c/code\u003e with the target\u0026rsquo;s username and email in the JSON body.\u003c/li\u003e\n\u003cli\u003eThe phpMyFAQ application receives the request at \u003ccode\u003ephpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application checks if the provided username and email combination exists.\u003c/li\u003e\n\u003cli\u003eIf the username and email are valid, the application generates a new password.\u003c/li\u003e\n\u003cli\u003eThe application updates the user\u0026rsquo;s password in the database with the newly generated password.\u003c/li\u003e\n\u003cli\u003eThe application sends the new password to the user\u0026rsquo;s email address.\u003c/li\u003e\n\u003cli\u003eThe attacker has now forced a password reset, effectively locking the user out of their account using the original password.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe unauthenticated password reset vulnerability in phpMyFAQ allows attackers to enumerate valid usernames and email addresses. More critically, it enables attackers to forcibly reset user passwords, leading to account disruption and potential denial of service. An attacker knowing a valid username/email pair can trigger an immediate password change without any confirmation, invalidating the old password. While the attacker might not gain immediate access to the account if they lack access to the email, the forced password reset disrupts the victim\u0026rsquo;s access and could lead to further exploitation if the attacker can intercept the new password.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided patch or upgrade to phpMyFAQ version 4.1.3 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect phpMyFAQ Password Reset Attempt\u003c/code\u003e to monitor for suspicious PUT requests to the password update endpoint.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/api/index.php/user/password/update\u003c/code\u003e endpoint to mitigate brute-force attempts to enumerate valid username/email pairs.\u003c/li\u003e\n\u003cli\u003eChange the password recovery flow to a token-based design as outlined in the source document, generating reset tokens and validating those tokens before resetting the password.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T15:47:42Z","date_published":"2026-05-20T15:47:42Z","id":"https://feed.craftedsignal.io/briefs/2026-05-phpmyfaq-password-reset/","summary":"phpMyFAQ versions prior to 4.1.3 are vulnerable to an unauthenticated password reset vulnerability that allows attackers to enumerate valid accounts and forcibly change user passwords by exploiting the password reset API without token validation.","title":"phpMyFAQ Unauthenticated Password Reset Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-phpmyfaq-password-reset/"}],"language":"en","title":"CraftedSignal Threat Feed — Account-Enumeration","version":"https://jsonfeed.org/version/1.1"}