Enviar #664517: NovoSGA 2.2.12 Weak Password Requirementsinformación

Título	NovoSGA 2.2.12 Weak Password Requirements
Descripción	## Summary A Weak Password Policy vulnerability was identified in the user registration functionality of the _Novosga_ application. This vulnerability allows the creation of accounts with extremely weak and predictable passwords, such as `123456`. This exposes the platform to brute-force and credential stuffing attacks. --- ## Details Vulnerable Component: User registration / password creation The application fails to enforce a strong password policy. As a result, users can register accounts with trivial and well-known weak passwords, compromising the authentication security of the platform. --- ## PoC 1. Navigate to the user registration page after logged in with the Administrator account ![[Pasted image 20250928002128.png]] 2. Create a new user account with the password `123456`. ![[Pasted image 20250928002354.png]] ``` ``` 3. The application accepts the weak password without restrictions and creates the account successfully. ![[Pasted image 20250928002428.png]] --- ## Impact Weak password policy vulnerabilities can have significant consequences, including: - Increased risk of brute-force and credential stuffing attacks - Unauthorized access to user or administrative accounts - Privilege escalation through compromised accounts - Reduced overall security posture of the application ### Mitigation - Enforce strong password policies (minimum length, use of uppercase, lowercase, digits, and special characters). - Prevent the use of commonly known weak passwords (e.g., via blocklists such as “123456”, “password”, “qwerty”). - Encourage or enforce multi-factor authentication (MFA) to mitigate the risk of compromised weak passwords. - Implement rate-limiting or account lockout mechanisms to slow down brute-force attempts.
Fuente	⚠️ https://github.com/marcelomulder/CVE/blob/main/NovoSga/Weak%20Password%20Policy%20in%20Novosga.md
Usuario	marceloQz (UID 87549)
Sumisión	2025-09-28 06:04 (hace 8 meses)
Moderación	2025-10-05 08:41 (7 days later)
Estado	Aceptado
Entrada de VulDB	327203 [Mangati NovoSGA hasta 2.2.12 User Creation Page /novosga.users/new Senha/Confirmação da senha autenticación débil]
Puntos	20

◂ Anterior Visión De Conjunto Próximo ▸

Do you know our Splunk app?

Download it now for free!