The web app does not verify weak password at backend in cloudexplorer-dev/cloudexplorer-lite


Reported on

May 31st 2023


Access and login to the demo website:

At changing password function, the backend does not verify weak passwords so that user can do:

1/ Set new password as same as old password.

2/ Set new password by one character, such as 1. This case can bypass frontend check.

Proof of Concept

Link video PoC:


Weak passwords can be easily guessed and are an easy target for brute force attacks.

This can lead to an authentication system failure and compromise system security.

We are processing your report and will contact the cloudexplorer-dev/cloudexplorer-lite team within 24 hours. 6 months ago
We have contacted a member of the cloudexplorer-dev/cloudexplorer-lite team and are waiting to hear back 6 months ago
cloudexplorer-dev/cloudexplorer-lite maintainer validated this vulnerability 6 months ago

Thank you for feedback. We will fix it in the next version.

Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
5 months ago


Thank you for feedback. The vulnerability has been resolved in v1.2.0. Please upgrade to the latest version.

cloudexplorer-dev/cloudexplorer-lite maintainer marked this as fixed in v 1.2.0 with commit 7d4dab 5 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
cloudexplorer-dev/cloudexplorer-lite maintainer published this vulnerability 5 months ago
to join this conversation