| Title | PbootCMS 3.2.12 Improper Authentication |
|---|
| Description | PbootCMS 3.2.12 contains a broken password recovery flow in apps/home/controller/MemberController.php (retrieve()). An unauthenticated remote attacker who knows a victim's username can overwrite that account's password and take over the membership account in a single POST request. Five flaws stack: (1) the !empty($userInfo['useremail']) guard short-circuits the email check for any account whose useremail column is empty (default for username-mode registration); (2) when present, the email comparison is a knowledge proof, not an ownership proof; (3) no one-time / time-bound reset token is issued and no verification email is ever sent; (4) the image CAPTCHA in $_SESSION['checkcode'] only proves "is human", not "is user X"; (5) core/code.php (image CAPTCHA) and MemberController::sendEmail (email code) share the same $_SESSION['checkcode'] key, so an image CAPTCHA satisfies what the UI labels as the email verification code. Result: complete account takeover with no email interaction. |
|---|
| Source | ⚠️ https://github.com/pbootcmspro/PbootCMS/issues/38 |
|---|
| User | yunyan05 (UID 90348) |
|---|
| Submission | 06/01/2026 16:01 (1 month ago) |
|---|
| Moderation | 07/03/2026 18:53 (1 month later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 370561 [PbootCMS up to 3.2.12 Password MemberController.php retrieve username/password/email/checkcode password recovery] |
|---|
| Points | 0 |
|---|