Weak Password Policy in kromitgmbh/titra

Valid

Reported on

Jun 13th 2022


Description

You can change your password in profile to a weak password.

Proof of Concept

1. Login and go to your Profile
2. Use the password change feature or https://app.titra.io/changePwd
3.  Enter your current password, fill the "Password" and "Password (again)" with 1
You can see your password has been changed and there is no strong enforcement.

Impact

An attacker could easily guess user passwords and gain access user accounts.

We are processing your report and will contact the kromitgmbh/titra team within 24 hours. 13 days ago
We have contacted a member of the kromitgmbh/titra team and are waiting to hear back 12 days ago
kromitgmbh/titra maintainer validated this vulnerability 10 days ago
Lê Ngọc Hoa has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kromitgmbh/titra maintainer confirmed that a fix has been merged on 7f0907 10 days ago
The fix bounty has been dropped
to join this conversation