Weak password policy on account creation/password update in hay-kot/mealie
Jul 30th 2022
The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character.
Proof of Concept
Case 1 - Account Creation
1 - Login as admin and go to the users page.
2 - Create a new user and set
1as the password and click in "Create".
3 - The new user is created successfully.
Case 2 - Password Change
1 - Login as a normal user an go to the profile page.
2 - Click in change password and set
1as the new password and click in "Save".
3 - The password is changed successfully.
An attacker could easily guess user passwords and gain access to user and administrative accounts.