Weak password policy on account creation/password update in hay-kot/mealie

Valid

Reported on

Jul 30th 2022

Description

The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character.

Proof of Concept

Case 1 - Account Creation

  1. 1 - Login as admin and go to the users page.

  2. 2 - Create a new user and set 1 as the password and click in "Create".

  3. 3 - The new user is created successfully.

    Case 2 - Password Change

  4. 1 - Login as a normal user an go to the profile page.

  5. 2 - Click in change password and set 1 as the new password and click in "Save".

  6. 3 - The password is changed successfully.

Impact

An attacker could easily guess user passwords and gain access to user and administrative accounts.

We are processing your report and will contact the hay-kot/mealie team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the hay-kot/mealie team and are waiting to hear back a year ago
We have sent a follow up to the hay-kot/mealie team. We will try again in 7 days. a year ago
We have sent a second follow up to the hay-kot/mealie team. We will try again in 10 days. a year ago
Hayden validated this vulnerability a year ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Hayden marked this as fixed in nightly with commit 54c4f1 a year ago
Hayden has been awarded the fix bounty
This vulnerability will not receive a CVE
crud.py#L94-L103 has been validated
to join this conversation