Weak password policy on account creation/password update in plankanban/planka

Valid

Reported on

Aug 2nd 2022


Description

The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character.

Proof of Concept

Case 1 - Account Creation

  1. 1 - Login as admin and go to the users page.
  2. 2 - Create a new user and set 1 as the password and click in "Add user"
  3. 3 - The new user is created successfully.


Case 2 - Password Change

  1. 1 - Login as a normal user, go to the settings page and click "Edit Password".
  2. 2 - Set 1 as the new password and click in "Save"
  3. 3 - The password is changed successfully.

Impact

An attacker could easily guess user passwords and gain access to normal users and administrative accounts.

We are processing your report and will contact the plankanban/planka team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the plankanban/planka team and are waiting to hear back 2 years ago
We have sent a follow up to the plankanban/planka team. We will try again in 4 days. 2 years ago
Maksim Eltyshev modified the Severity from High to None 2 years ago
Maksim Eltyshev modified the Severity from None to Low 2 years ago
Maksim Eltyshev
2 years ago

Maintainer


I accidentally changed severity and I can't make it back to high 🙈 The save button is disabled...

vultza modified the report
2 years ago
vultza
2 years ago

Researcher


No problem, already fixed it.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Maksim Eltyshev validated this vulnerability 2 years ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the plankanban/planka team. We will try again in 7 days. 2 years ago
We have sent a second fix follow up to the plankanban/planka team. We will try again in 10 days. 2 years ago
Maksim Eltyshev marked this as fixed in 1.7.3 with commit 5c91bd 2 years ago
The fix bounty has been dropped
create.js#L63-L77 has been validated
to join this conversation