A lack of rate limiting in the phpMyFAQ administrative login endpoint allows unauthenticated attackers to brute-force TOTP tokens and bypass two-factor authentication.

The application fails to bind TOTP verification to a session or implement rate limiting on the /admin/check endpoint, permitting automated brute-force attacks against six-digit tokens.

Bypassing two-factor authentication grants an attacker full administrative access, potentially leading to total system compromise and data loss. This vulnerability is rated 9.1, reflecting the high risk to administrative security.

Immediate Action: Update phpMyFAQ to version 4.1.2 or later to implement necessary rate limiting and session binding.

Proactive Monitoring: Monitor authentication logs for high volumes of failed login attempts or sequential token submissions targeting the administrative interface.

Compensating Controls: Restrict access to the /admin/ path via IP allowlisting or VPN-only access to prevent public exposure.

Public Exploit Available: false

Administrative access is the highest security tier; failing to protect this endpoint renders all other security measures ineffective. Update the software immediately to enforce robust authentication controls.