Weak Password Policy in kromitgmbh/titra

Valid

Reported on

Jun 13th 2022

Description

You can change your password in profile to a weak password.

Proof of Concept

1. Login and go to your Profile
2. Use the password change feature or https://app.titra.io/changePwd
3.  Enter your current password, fill the "Password" and "Password (again)" with 1
You can see your password has been changed and there is no strong enforcement.

Impact

An attacker could easily guess user passwords and gain access user accounts.

References

We are processing your report and will contact the kromitgmbh/titra team within 24 hours. 13 days ago

We have contacted a member of the kromitgmbh/titra team and are waiting to hear back 12 days ago

A kromitgmbh/titra maintainer validated this vulnerability 10 days ago

Lê Ngọc Hoa has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A kromitgmbh/titra maintainer confirmed that a fix has been merged on 7f0907 10 days ago

The fix bounty has been dropped

to join this conversation