GHSA-9qv9-8xv6-5p35: phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation

The password reset API can be triggered without authentication and without any out-of-band confirmation step.

If an attacker knows a valid username + email pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and only then sends the new password by email.

This creates two issues at the same time:

• account enumeration through the response difference between valid and invalid pairs
• forced password reset of another user’s account, which invalidates the old password immediately

In my local reproduction, I confirmed both the response difference and the password change itself.