Submit #844927: PbootCMS 3.2.12 Improper Authenticationinfo

TitlePbootCMS 3.2.12 Improper Authentication
DescriptionPbootCMS 3.2.12 contains a broken password recovery flow in apps/home/controller/MemberController.php (retrieve()). An unauthenticated remote attacker who knows a victim's username can overwrite that account's password and take over the membership account in a single POST request. Five flaws stack: (1) the !empty($userInfo['useremail']) guard short-circuits the email check for any account whose useremail column is empty (default for username-mode registration); (2) when present, the email comparison is a knowledge proof, not an ownership proof; (3) no one-time / time-bound reset token is issued and no verification email is ever sent; (4) the image CAPTCHA in $_SESSION['checkcode'] only proves "is human", not "is user X"; (5) core/code.php (image CAPTCHA) and MemberController::sendEmail (email code) share the same $_SESSION['checkcode'] key, so an image CAPTCHA satisfies what the UI labels as the email verification code. Result: complete account takeover with no email interaction.
Source⚠️ https://github.com/pbootcmspro/PbootCMS/issues/38
User
 yunyan05 (UID 90348)
Submission06/01/2026 16:01 (1 month ago)
Moderation07/03/2026 18:53 (1 month later)
StatusDuplicate
VulDB entry370561 [PbootCMS up to 3.2.12 Password MemberController.php retrieve username/password/email/checkcode password recovery]
Points0

Do you need the next level of professionalism?

Upgrade your account now!