GHSA-58fg-62fg-3fcjLow

phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing

Published
June 23, 2026
Last Modified
June 23, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered).

Details

Affected File : phpmyfaq/src/phpMyFAQ/Attachment/AbstractAttachment.php

Impact

  • An attacker can generate SHA-1 collisions to bypass attachment protection
  • Risk of password cracking if database is compromised
  • Estimated cracking time: < 1 minute for standard attachment

Solution

Use bcrypt:

public function setPassword(string $password): void
{
    $this->passwordHash = password_hash($password, PASSWORD_BCRYPT);
}

public function verifyPassword(string $plainPassword): bool
{
    return password_verify($plainPassword, $this->passwordHash);
}

🎯 Affected products2

  • composer/thorsten/phpmyfaq:<= 4.1.3
  • composer/phpmyfaq/phpmyfaq:<= 4.1.3

🔗 References (4)