Weak policy at Change password function in kromitgmbh/titra


Reported on

Jun 13th 2022


We can register an normal account with >= 8 characters password. But we ccan change password with just 1 character when we use change password function

Proof of Concept



When users change password to a too simple password, attacker can easily guess user password and access account.

We are processing your report and will contact the kromitgmbh/titra team within 24 hours. 16 days ago
We have contacted a member of the kromitgmbh/titra team and are waiting to hear back 15 days ago
kromitgmbh/titra maintainer validated this vulnerability 15 days ago
Tran Duc Anh has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tran Duc Anh
15 days ago


@admin can we assign a CVE to this vulnerability?

Jamie Slome
15 days ago


If the maintainer is happy to proceed with a CVE, we will assign and publish one on their behalf.


kromitgmbh/titra maintainer confirmed that a fix has been merged on 7f0907 13 days ago
The fix bounty has been dropped
kromitgmbh/titra maintainer
13 days ago


I am okay with a CVE but the vulnerability has just been fixed in the latest version of titra (0.78.1).

Jamie Slome
13 days ago


Sorted 👍

@maintainer - it is good and standard practice to publish CVEs, especially after they have been fixed :)

to join this conversation