Submit #828374: PbootCMS 3.2.12 Improper Authenticationinfo

TitlePbootCMS 3.2.12 Improper Authentication
DescriptionPbootCMS 3.2.12 contains a broken password recovery flow in apps/home/controller/MemberController.php (retrieve()). An unauthenticated remote attacker who knows a victim's username can overwrite that account's password and take over the membership account in a single POST request. Five flaws stack: (1) the !empty($userInfo['useremail']) guard short-circuits the email check for any account whose useremail column is empty (default for username-mode registration); (2) when present, the email comparison is a knowledge proof, not an ownership proof; (3) no one-time / time-bound reset token is issued and no verification email is ever sent; (4) the image CAPTCHA in $_SESSION['checkcode'] only proves "is human", not "is user X"; (5) core/code.php (image CAPTCHA) and MemberController::sendEmail (email code) share the same $_SESSION['checkcode'] key, so an image CAPTCHA satisfies what the UI labels as the email verification code. Result: complete account takeover with no email interaction.
Source⚠️ https://github.com/yunyan05/MYCVE/tree/main/PbootCMS/V3.2.12-Account-Takeover
User
 yunyan05 (UID 90348)
Submission05/13/2026 15:48 (2 months ago)
Moderation06/12/2026 09:41 (30 days later)
StatusAccepted
VulDB entry370561 [PbootCMS up to 3.2.12 Password MemberController.php retrieve username/password/email/checkcode password recovery]
Points20

Interested in the pricing of exploits?

See the underground prices here!