Weak Password Requirements in cortezaproject/corteza-server


Reported on

Jul 18th 2021

Passwords shorter than 8 characters are considered to be weak (NIST SP800-63B). Maximum password length should not be set too low, as it will prevent users from creating passphrases. ... It is important to set a maximum password length to prevent long password Denial of Service attacks.

STEPS FOR REPRODUCTION: 1)Go to https://latest.cortezaproject.org/auth/login 2)Create an account 3)Enter the username,email address and password as 'admin' and your account will be created

💥 Impact

Improper secure design principles.

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 10 months ago
Tomaž Jerman
7 months ago


Thank you for reporting; I'll get one of our guys to resolve this

Tomaž Jerman validated this vulnerability 7 months ago
sudheendra17 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Denis Arh confirmed that a fix has been merged on 420b5e 3 months ago
The fix bounty has been dropped
to join this conversation