Weak Password Requirements in notrinos/notrinoserp

Valid

Reported on

Aug 18th 2022


Description

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Proof of Concept

Steps to reproduce

1. Login to admin account.
2. Drom user account setup create a new user.
3. Full the form username `user3` and password single character `a`.
4. Account created successfully without any password restriction.

pass1 pass2

Impact

An attacker could easily guess user passwords and gain access user accounts.

References

We are processing your report and will contact the notrinos/notrinoserp team within 24 hours. a month ago
We have contacted a member of the notrinos/notrinoserp team and are waiting to hear back a month ago
Phương gave praise a month ago
Thanks @0xcybery for detecting this, will fix it soon
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Phương assigned a CVE to this report a month ago
Phương validated this vulnerability a month ago
Abdullah Baghuth has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Phương confirmed that a fix has been merged on e61e76 a month ago
Phương has been awarded the fix bounty
to join this conversation