No rate limit on main Login page lead to account takeover in octoprint/octoprint
Aug 12th 2022
As a best practice a login page should have a rate limit to avoid any kind of brute force.
Aslo The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character.
An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.