Weak Password Requirements in notrinos/notrinoserp


Reported on

Aug 18th 2022


The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Proof of Concept

Steps to reproduce

1. Login to admin account.
2. Drom user account setup create a new user.
3. Full the form username `user3` and password single character `a`.
4. Account created successfully without any password restriction.

pass1 pass2


An attacker could easily guess user passwords and gain access user accounts.


We are processing your report and will contact the notrinos/notrinoserp team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the notrinos/notrinoserp team and are waiting to hear back a year ago
Phương gave praise a year ago
Thanks @0xcybery for detecting this, will fix it soon
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Phương assigned a CVE to this report a year ago
Phương validated this vulnerability a year ago
Abdullah Baghuth has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Phương marked this as fixed in 0.7 with commit e61e76 a year ago
Phương has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation