| Title | PbootCMS 3.2.12 Improper Authentication |
|---|
| Description | PbootCMS 3.2.12 contains a broken password recovery flow in apps/home/controller/MemberController.php (retrieve()). An
unauthenticated remote attacker who knows a victim's username can overwrite that account's password and take over the
membership account in a single POST request. Five flaws stack: (1) the !empty($userInfo['useremail']) guard
short-circuits the email check for any account whose useremail column is empty (default for username-mode
registration); (2) when present, the email comparison is a knowledge proof, not an ownership proof; (3) no one-time /
time-bound reset token is issued and no verification email is ever sent; (4) the image CAPTCHA in
$_SESSION['checkcode'] only proves "is human", not "is user X"; (5) core/code.php (image CAPTCHA) and
MemberController::sendEmail (email code) share the same $_SESSION['checkcode'] key, so an image CAPTCHA satisfies what
the UI labels as the email verification code. Result: complete account takeover with no email interaction. |
|---|
| Source | ⚠️ https://github.com/yunyan05/MYCVE/tree/main/PbootCMS/V3.2.12-Account-Takeover |
|---|
| User | yunyan05 (UID 90348) |
|---|
| Submission | 05/13/2026 15:48 (2 months ago) |
|---|
| Moderation | 06/12/2026 09:41 (30 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370561 [PbootCMS up to 3.2.12 Password MemberController.php retrieve username/password/email/checkcode password recovery] |
|---|
| Points | 20 |
|---|