Weak Password policy on account registration in answerdev/answer

Valid

Reported on

Apr 26th 2023

Description

It was observed that application allows to create account with Blank spaces as password

Proof of Concept

1. Go to https://meta.answer.dev/users/register
2. Create account with 10 blank spaces as password

Result:
Application allows to create user account with blank spaces as password

Impact

The vulnerability may allow an attacker to guess users’ passwords and gain unauthorized access to the application.

We are processing your report and will contact the answerdev/answer team within 24 hours. 5 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 5 months ago

Mohammed A. Siledar Mohammed

commented 2 months ago

Researcher

Hi Team, any updates on reported issue? appreciate your reply!

A answerdev/answer maintainer validated this vulnerability 2 months ago

Thanks for the feedback!

Mohammed A. Siledar has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A answerdev/answer maintainer marked this as fixed in v1.1.0 with commit 7d23b1 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A answerdev/answer maintainer published this vulnerability 2 months ago

to join this conversation