Lucene search
Uonghoangminhchau58EAE29E-3619-449D-9BBA-FDCBABCBA5FEHistorySep 09, 2022 - 8:02 a.m.
Password can be set extremely weak
2022-09-0908:02:42
uonghoangminhchau
www.huntr.dev
9
weak password
demo website
no password policy
admin login
user access
password change
EPSS
0.001
Percentile
41.1%
Description
In this scenario, I use the demo website. It allows us to add more user to test. With password, we can set it 1 (Or any charater). There is no policy for password or no password checking. Moreover, it also allows us to change password and the new password also can be set with password.
Proof of Concept
Access to the demo website and login as an admin.
Add user with password 1 or any charater (short, weak)
Try to login with the new user and it succeed.
With normal user, login and try to change password function, it also succeed.
Related
prion
prion
Default credentials
2022-09-13 17:15:00
cve
cve
CVE-2022-3179
2022-09-13 17:15:08
cvelist
cvelist
CVE-2022-3179 Weak Password Requirements in ikus060/rdiffweb
2022-09-13 16:35:09
veracode
veracode
Weak Password Requirements
2022-09-14 05:52:54
nvd
nvd
CVE-2022-3179
2022-09-13 17:15:08
osv
osv
rdiffweb 2.4.1 contains Weak Password Requirements
2022-09-14 00:00:43
PYSEC-2022-272
2022-09-13 17:15:00
CVE-2022-3179
2022-09-13 17:15:08
github
github
rdiffweb 2.4.1 contains Weak Password Requirements
2022-09-14 00:00:43
fedora
fedora
[SECURITY] Fedora 36 Update: python-bottle-0.12.21-2.fc36
2022-06-22 00:48:23
nessus
nessus
Amazon Linux 2022 : (ALAS2022-2022-205)
2022-11-04 00:00:00
Amazon Linux 2023 : python3-bottle (ALAS2023-2023-082)
2023-03-21 00:00:00
openvas
openvas
Fedora: Security Advisory for python-bottle (FEDORA-2022-cc9a173168)
2022-06-22 00:00:00