Password Can be set to very weak in ikus060/minarca
Sep 13th 2022
For testing the issue, I have used the demo website. In edit user profile section we can set New Password to 1 (Or any character). There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with weak password.
Proof of Concept
Access to the demo website and login as an admin. Edit user with New password 1 or any character (short, weak) Try to login with the new user and it succeed.
With normal user, login and try to change password function, it also succeed.
Attacker will able to get all user's accounts with weak password using bruiteforce attack.