Weak Password Requirements in janeczku/calibre-web

Valid

Reported on

Jun 1st 2022

Description

Weak password policy leads to successful bruteforce attack

Steps to reproduce

1.Go to http://localhost:8083/login and login with default credentials admin/admin123

2.Go to http://localhost:8083/me and change password to 123

Noticed that password has been changed successful

Impact

Account takeover

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. a year ago

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago

We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. a year ago

We have sent a second follow up to the janeczku/calibre-web team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the janeczku/calibre-web team. This report is now considered stale. a year ago

janeczku validated this vulnerability 10 months ago

Domiee13 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the janeczku/calibre-web team. We will try again in 7 days. 10 months ago

We have sent a second fix follow up to the janeczku/calibre-web team. We will try again in 10 days. 10 months ago

We have sent a third and final fix follow up to the janeczku/calibre-web team. This report is now considered stale. 9 months ago

janeczku

commented 8 months ago

Maintainer

I'm having a fix in the developer branch, but I need some more time for testing before releasing it

janeczku marked this as fixed in 0.6.20 with commit 49e4f5 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 27th 2023

janeczku published this vulnerability a month ago

to join this conversation