We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Weak Password Requirements in kcal-app/kcal

Valid

Reported on

Sep 26th 2021

Description
Weak password implementation

Proof of Concept
step 1: login into account goto http://demo.kcal.cooking/users/kcal/edit
step 2: change password kcal to 12 and save changes
step 3: we can see updated message
application is allowing to set weak password.

poc of image in below link

https://i.ibb.co/L0DLLfB/Screenshot-2.png

Impact
Weak passwords can be guessable or attacker can bruteforce if the length of the password is very small, so try to use random strings with special characters. Though that can be hard to remember as a security point of view it's quite secure. Strong password is also needed to be stored properly.

References

https://www.acunetix.com/vulnerabilities/web/weak-password/

We have contacted a member of the kcal-app/kcal team and are waiting to hear back 2 years ago

Christopher Charbonneau Wells validated this vulnerability 2 years ago

@0xAmal has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Researcher

thanks sir

Christopher Charbonneau Wells marked this as fixed with commit f7a95c 2 years ago

Christopher Charbonneau Wells has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the kcal-app/kcal team and are waiting to hear back 2 years ago

Christopher Charbonneau Wells validated this vulnerability 2 years ago

@0xAmal has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Researcher

thanks sir

Christopher Charbonneau Wells marked this as fixed with commit f7a95c 2 years ago

Christopher Charbonneau Wells has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation