Weak Password Recovery Mechanism for Forgotten Password in babybuddy/babybuddy


Reported on

Sep 15th 2021


Weak password implementation

Proof of Concept

step 1: login into account
step 2: goto settings http://demo.baby-buddy.net/user/password/
step 3: change password admin to 12 and save changes
step 4: we can see updated message
application is allowing to set weak password.

poc of image in below link



Weak passwords can be guessable or attacker can bruteforce if the length of the password is very small, so try to use random strings with special characters. Though that can be hard to remember as a security point of view it's quite secure. Strong password is also needed to be stored properly.

We have contacted a member of the babybuddy team and are waiting to hear back 2 years ago
Christopher Charbonneau Wells validated this vulnerability 2 years ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells marked this as fixed with commit 45cb43 2 years ago
Christopher Charbonneau Wells has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation