Weak Password Requirements in notrinos/notrinoserp

Valid

Reported on

Aug 18th 2022

Description

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Proof of Concept

Steps to reproduce

1. Login to admin account.
2. Drom user account setup create a new user.
3. Full the form username `user3` and password single character `a`.
4. Account created successfully without any password restriction.

pass1 pass2

Impact

An attacker could easily guess user passwords and gain access user accounts.

References

We are processing your report and will contact the notrinos/notrinoserp team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the notrinos/notrinoserp team and are waiting to hear back a year ago

Phương gave praise a year ago

Thanks @0xcybery for detecting this, will fix it soon

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Phương assigned a CVE to this report a year ago

Phương validated this vulnerability a year ago

Abdullah Baghuth has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Phương marked this as fixed in 0.7 with commit e61e76 a year ago

Phương has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation