Submit #664517: NovoSGA 2.2.12 Weak Password Requirementsinfo

TitelNovoSGA 2.2.12 Weak Password Requirements
Beschreibung## Summary A **Weak Password Policy** vulnerability was identified in the user registration functionality of the _Novosga_ application. This vulnerability allows the creation of accounts with extremely weak and predictable passwords, such as `123456`. This exposes the platform to brute-force and credential stuffing attacks. --- ## Details **Vulnerable Component:** User registration / password creation The application fails to enforce a strong password policy. As a result, users can register accounts with trivial and well-known weak passwords, compromising the authentication security of the platform. --- ## PoC 1. Navigate to the user registration page after logged in with the Administrator account ![[Pasted image 20250928002128.png]] 2. Create a new user account with the password `123456`. ![[Pasted image 20250928002354.png]] ``` ``` 3. The application accepts the weak password without restrictions and creates the account successfully. ![[Pasted image 20250928002428.png]] --- ## Impact Weak password policy vulnerabilities can have significant consequences, including: - Increased risk of brute-force and credential stuffing attacks - Unauthorized access to user or administrative accounts - Privilege escalation through compromised accounts - Reduced overall security posture of the application ### **Mitigation** - Enforce strong password policies (minimum length, use of uppercase, lowercase, digits, and special characters). - Prevent the use of commonly known weak passwords (e.g., via blocklists such as “123456”, “password”, “qwerty”). - Encourage or enforce multi-factor authentication (MFA) to mitigate the risk of compromised weak passwords. - Implement rate-limiting or account lockout mechanisms to slow down brute-force attempts.
Quelle⚠️ https://github.com/marcelomulder/CVE/blob/main/NovoSga/Weak%20Password%20Policy%20in%20Novosga.md
Benutzer
 marceloQz (UID 87549)
Einreichung28.09.2025 06:04 (vor 8 Monaten)
Moderieren05.10.2025 08:41 (7 days later)
StatusAkzeptiert
VulDB Eintrag327203 [Mangati NovoSGA bis 2.2.12 User Creation Page /novosga.users/new Senha/Confirmação da senha schwache Authentisierung]
Punkte20

ZurückÜbersichtWeiter

Want to know what is going to be exploited?

We predict KEV entries!