Unverified Password Change in zmister2016/mrdoc


Reported on

Oct 16th 2021


When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.


Proof of Concept


# 普通用户修改密码
def change_pwd(request):
    if request.method == 'POST':
#  Without verifying the original password
            password = request.POST.get('password',None)
            password2 = request.POST.get('password2',None)
            print(password, password2)
            if password and password== password2:
                if len(password) >= 6:
                    user = User.objects.get(id=request.user.id) 


This vulnerability is capable of

  • setting a new password for a user without knowing the original password,
  • in some certain cases (such as XSS attack), the attacker could directly modify the password with just a valid session

recommended fix

  • validate the original password befroe saving new password
We have contacted a member of the zmister2016/mrdoc team and are waiting to hear back 2 months ago
a month ago


hello, is there any update?

We have sent a second follow up to the zmister2016/mrdoc team. We will try again in 10 days. a month ago
zmister2016 validated this vulnerability a month ago
hi-unc1e has been awarded the disclosure bounty
The fix bounty is now up for grabs
zmister2016 confirmed that a fix has been merged on 232414 a month ago
zmister2016 has been awarded the fix bounty