This vulnerability stores all user passwords in cleartext in the application database, allowing attackers to gain full access to user accounts. When combined with a separate public SQL injection vulnerability, unauthenticated remote attackers can steal all cleartext credentials. Stolen credentials can be used to take over administrative access to affected systems.
Remediation
Upgrade PHPRunner to a patched version that uses salted password hashing instead of cleartext storage. Rotate all credentials for accounts stored on affected PHPRunner installations immediately. Remediate any existing SQL injection vulnerabilities on PHPRunner deployments to block unauthorized access.
Exploit info
This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.