Submit #495635: PMWEB PMWeb 7.2.0 Weak Password Policy PMWeb allowing Account Takeover of any userinfo

TitelPMWEB PMWeb 7.2.0 Weak Password Policy PMWeb allowing Account Takeover of any user
BeschreibungWeak Password Policy in PMWeb Allowing Account Takeover Vulnerability Description PMWeb is vulnerable to an account takeover attack due to its weak password policy and lack of brute-force protection. This security flaw allows an attacker to compromise both administrator accounts and low-privileged user accounts with minimal effort. The vulnerability arises from the following issues: Weak Password Policy PMWeb does not enforce strong password requirements, allowing users to set easily guessable passwords. There are no restrictions on commonly used or weak passwords, increasing the risk of credential compromise. Lack of Brute-Force Protection The system does not implement account lockout or rate-limiting mechanisms after multiple failed login attempts. An attacker can perform automated credential stuffing or dictionary attacks to guess user passwords without being blocked. Impact Administrator Account Takeover: If an attacker gains access to an admin account, they can manipulate system settings, access sensitive data, and take complete control of the platform. User Account Compromise: Any low-privileged user account can be easily hijacked, potentially leading to unauthorized access to confidential project information. Data Integrity & Confidentiality Risks: Unauthorized access may result in data manipulation, leakage, or service disruption. Recommended Mitigations Enforce strong password policies (minimum length, complexity requirements, and banning common passwords). Implement account lockout mechanisms after multiple failed login attempts. Introduce multi-factor authentication (MFA) to add an extra layer of security. Monitor and log authentication attempts to detect and respond to unusual login activity. These security improvements are essential to protecting PMWeb from unauthorized access and ensuring the integrity of user accounts.
Quelle⚠️ https://mega.nz/file/yY0BnAgK#08RcRH8c8D4zMhKLEqQwMenHV65lnHsOSuV4eQkdcxY
Benutzer
 ahmed8199 (UID 60803)
Einreichung05.02.2025 21:05 (vor 1 Jahr)
Moderieren15.02.2025 16:11 (10 days later)
StatusAkzeptiert
VulDB Eintrag295959 [PMWeb 7.2.0 Setting schwache Authentisierung]
Punkte20

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!