InvenTree Deploys a Weak Password Change Mechanism in inventree/inventree
Jun 16th 2022
When setting a new user password, InvenTree does not require knowledge of the original password or using another form of authentication.
Proof of Concept
1. Log in as a regular user 2. Go to the account settings link 3. Select Set Password 4. Enter any 8-character password string (this form is not constrained by the common passwords blocked in initial user creation).
If an attacker can gain access to an active user session (i.e. accessing terminal when user stands up), it would not be necessary to know the victim's current password in order to fully compromise the account.