### Summary Attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered). ### Details **Affected File** : `phpmyfaq/src/phpMyFAQ/Attachment/AbstractAttachment.php` <img width="810" height="427" alt="image" src="https://github.com/user-attachments/assets/6499a008-3ece-4291-8296-f1d3303ba35c" /> ### Impact - An attacker can generate SHA-1 collisions to bypass attachment protection - Risk of password cracking if database is compromised - Estimated cracking time: < 1 minute for standard attachment ### Solution **Use bcrypt:** ``` public function setPassword(string $password): void { $this->passwordHash = password_hash($password, PASSWORD_BCRYPT); } public function verifyPassword(string $plainPassword): bool { return password_verify($plainPassword, $this->passwordHash); } ```
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free