Weak Password Requirements in janeczku/calibre-web

Valid

Reported on

Jun 1st 2022


Description

Weak password policy leads to successful bruteforce attack

Steps to reproduce

1.Go to http://localhost:8083/login and login with default credentials admin/admin123

2.Go to http://localhost:8083/me and change password to 123

  1. Noticed that password has been changed successful

Impact

Account takeover

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. a year ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. a year ago
We have sent a second follow up to the janeczku/calibre-web team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the janeczku/calibre-web team. This report is now considered stale. a year ago
janeczku validated this vulnerability 10 months ago
Domiee13 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the janeczku/calibre-web team. We will try again in 7 days. 10 months ago
We have sent a second fix follow up to the janeczku/calibre-web team. We will try again in 10 days. 10 months ago
We have sent a third and final fix follow up to the janeczku/calibre-web team. This report is now considered stale. 9 months ago
janeczku
8 months ago

Maintainer


I'm having a fix in the developer branch, but I need some more time for testing before releasing it

janeczku marked this as fixed in 0.6.20 with commit 49e4f5 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 27th 2023
janeczku published this vulnerability a month ago
to join this conversation