The web app does not verify weak password at backend in cloudexplorer-dev/cloudexplorer-lite
May 31st 2023
Access and login to the demo website: https://cloudexplorer-lite-demo.fit2cloud.com/
At changing password function, the backend does not verify weak passwords so that user can do:
1/ Set new password as same as old password.
2/ Set new password by one character, such as 1. This case can bypass frontend check.
Proof of Concept
Link video PoC: https://drive.google.com/file/d/1t8Wz8lXIrcfmCRrW07zrsJ38v0ZX7m2h/view?usp=sharing
Weak passwords can be easily guessed and are an easy target for brute force attacks.
This can lead to an authentication system failure and compromise system security.