Weak password policy on account creation/password update in hay-kot/mealie

Valid

Reported on

Jul 30th 2022


Description

The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character.

Proof of Concept

Case 1 - Account Creation

  1. 1 - Login as admin and go to the users page.

  2. 2 - Create a new user and set 1 as the password and click in "Create".

  3. 3 - The new user is created successfully.

    Case 2 - Password Change

  4. 1 - Login as a normal user an go to the profile page.

  5. 2 - Click in change password and set 1 as the new password and click in "Save".

  6. 3 - The password is changed successfully.

Impact

An attacker could easily guess user passwords and gain access to user and administrative accounts.

We are processing your report and will contact the hay-kot/mealie team within 24 hours. 2 months ago
We have contacted a member of the hay-kot/mealie team and are waiting to hear back 2 months ago
We have sent a follow up to the hay-kot/mealie team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the hay-kot/mealie team. We will try again in 10 days. a month ago
Hayden validated this vulnerability a month ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Hayden confirmed that a fix has been merged on 54c4f1 a month ago
Hayden has been awarded the fix bounty
crud.py#L94-L103 has been validated
to join this conversation