Weak Password Policy in kromitgmbh/titra

Valid

Reported on

Jun 13th 2022


Description

You can change your password in profile to a weak password.

Proof of Concept

1. Login and go to your Profile
2. Use the password change feature or https://app.titra.io/changePwd
3.  Enter your current password, fill the "Password" and "Password (again)" with 1
You can see your password has been changed and there is no strong enforcement.

Impact

An attacker could easily guess user passwords and gain access user accounts.

We are processing your report and will contact the kromitgmbh/titra team within 24 hours. a year ago
We have contacted a member of the kromitgmbh/titra team and are waiting to hear back a year ago
kromitgmbh/titra maintainer validated this vulnerability a year ago
Lê Ngọc Hoa has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kromitgmbh/titra maintainer marked this as fixed in 0.78.1 with commit 7f0907 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation