Weak password policy on account creation/password update in plankanban/planka

Valid

Reported on

Aug 2nd 2022


Description

The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character.

Proof of Concept

Case 1 - Account Creation

  1. 1 - Login as admin and go to the users page.
  2. 2 - Create a new user and set 1 as the password and click in "Add user"
  3. 3 - The new user is created successfully.


Case 2 - Password Change

  1. 1 - Login as a normal user, go to the settings page and click "Edit Password".
  2. 2 - Set 1 as the new password and click in "Save"
  3. 3 - The password is changed successfully.

Impact

An attacker could easily guess user passwords and gain access to normal users and administrative accounts.

We are processing your report and will contact the plankanban/planka team within 24 hours. 2 months ago
We have contacted a member of the plankanban/planka team and are waiting to hear back 2 months ago
We have sent a follow up to the plankanban/planka team. We will try again in 7 days. 2 months ago
Maksim Eltyshev modified the Severity from High to None 2 months ago
Maksim Eltyshev modified the Severity from None to Low 2 months ago
Maksim Eltyshev
2 months ago

Maintainer


I accidentally changed severity and I can't make it back to high 🙈 The save button is disabled...

vultza modified the report
2 months ago
vultza
2 months ago

Researcher


No problem, already fixed it.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Maksim Eltyshev validated this vulnerability 2 months ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the plankanban/planka team. We will try again in 7 days. a month ago
We have sent a second fix follow up to the plankanban/planka team. We will try again in 10 days. a month ago
Maksim Eltyshev confirmed that a fix has been merged on 5c91bd a month ago
The fix bounty has been dropped
create.js#L63-L77 has been validated
to join this conversation