Miggo Logo
Miggo Vulnerability Database
CVE-2023-0793

CVE-2023-0793:
Weak Password Requirements in thorsten/phpmyfaq

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0793
GHSA ID
GHSA-fxrq-xhj9-rf5j
EPSS Score
0.28272%
CWE
CWE-521
Published
2/12/2023
Updated
2/24/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
thorsten/phpmyfaqcomposer< 3.1.113.1.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from insufficient server-side password validation. The patch added critical password length checks in phpmyfaq/admin/ajax.user.php:

  1. In user creation flow: Added check for strlen() > 7 when automaticPassword is disabled
  2. In password update flow: Added check for strlen() > 7 for new passwords These missing checks in the server-side request handlers (processing POST data for user management) directly enabled weak password acceptance. Client-side changes in user.js and user.php (minlength=8) were insufficient as they could be bypassed, making the server-side validation gap the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**k P*sswor* R*quir*m*nts in *it*u* r*pository t*orst*n/p*pmy**q prior to *.*.**.

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt s*rv*r-si** p*sswor* v*li**tion. T** p*t** ***** *riti**l p*sswor* l*n*t* ****ks in p*pmy**q/**min/*j*x.us*r.p*p: *. In us*r *r**tion *low: ***** ****k *or strl*n() > * w**n *utom*ti*P*sswor* is *is**l** *.