Weak policy at Change password function in kromitgmbh/titra


Reported on

Jun 13th 2022


We can register an normal account with >= 8 characters password. But we ccan change password with just 1 character when we use change password function

Proof of Concept



When users change password to a too simple password, attacker can easily guess user password and access account.

We are processing your report and will contact the kromitgmbh/titra team within 24 hours. a year ago
We have contacted a member of the kromitgmbh/titra team and are waiting to hear back a year ago
kromitgmbh/titra maintainer validated this vulnerability a year ago
Tran Duc Anh has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tran Duc Anh
a year ago


@admin can we assign a CVE to this vulnerability?

Jamie Slome
a year ago


If the maintainer is happy to proceed with a CVE, we will assign and publish one on their behalf.


kromitgmbh/titra maintainer marked this as fixed in 0.78.1 with commit 7f0907 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
kromitgmbh/titra maintainer
a year ago


I am okay with a CVE but the vulnerability has just been fixed in the latest version of titra (0.78.1).

Jamie Slome
a year ago


Sorted 👍

@maintainer - it is good and standard practice to publish CVEs, especially after they have been fixed :)

to join this conversation