Weak Password Policy in publify/publify

Valid

Reported on

May 22nd 2022

Description

I would like to let you know about the password management issue.

Proof of Concept

1- Go to your Profile or https://demo-publify.herokuapp.com

2- Give a password as simple as 12345678.

You can see you will be password has been changed and there is no strong enforcement

Impact

This password can easily be cracked using dictionary attack

Fix:

Use complex password management.

We are processing your report and will contact the publify team within 24 hours. 10 months ago
publify/publify maintainer has acknowledged this report 10 months ago
Matijs van Zuijlen modified the Severity from High (8.4) to Medium (6.4) 2 months ago
Matijs van Zuijlen modified the Severity from Medium (6.4) to High (8.2) 2 months ago
Matijs van Zuijlen modified the Severity from High (8.2) to High (8.1) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Matijs van Zuijlen validated this vulnerability 2 months ago
Vishal Vishwakarma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Matijs van Zuijlen marked this as fixed in 9.2.10 with commit 8905e4 2 months ago
Matijs van Zuijlen has been awarded the fix bounty
This vulnerability has been assigned a CVE
Matijs van Zuijlen published this vulnerability 2 months ago
to join this conversation