| Title | PMWEB PMWeb 7.2.0 Weak Password Policy PMWeb allowing Account Takeover of any user |
|---|
| Description | Weak Password Policy in PMWeb Allowing Account Takeover
Vulnerability Description
PMWeb is vulnerable to an account takeover attack due to its weak password policy and lack of brute-force protection. This security flaw allows an attacker to compromise both administrator accounts and low-privileged user accounts with minimal effort.
The vulnerability arises from the following issues:
Weak Password Policy
PMWeb does not enforce strong password requirements, allowing users to set easily guessable passwords.
There are no restrictions on commonly used or weak passwords, increasing the risk of credential compromise.
Lack of Brute-Force Protection
The system does not implement account lockout or rate-limiting mechanisms after multiple failed login attempts.
An attacker can perform automated credential stuffing or dictionary attacks to guess user passwords without being blocked.
Impact
Administrator Account Takeover: If an attacker gains access to an admin account, they can manipulate system settings, access sensitive data, and take complete control of the platform.
User Account Compromise: Any low-privileged user account can be easily hijacked, potentially leading to unauthorized access to confidential project information.
Data Integrity & Confidentiality Risks: Unauthorized access may result in data manipulation, leakage, or service disruption.
Recommended Mitigations
Enforce strong password policies (minimum length, complexity requirements, and banning common passwords).
Implement account lockout mechanisms after multiple failed login attempts.
Introduce multi-factor authentication (MFA) to add an extra layer of security.
Monitor and log authentication attempts to detect and respond to unusual login activity.
These security improvements are essential to protecting PMWeb from unauthorized access and ensuring the integrity of user accounts. |
|---|
| Source | ⚠️ https://mega.nz/file/yY0BnAgK#08RcRH8c8D4zMhKLEqQwMenHV65lnHsOSuV4eQkdcxY |
|---|
| User | ahmed8199 (UID 60803) |
|---|
| Submission | 02/05/2025 21:05 (1 Year ago) |
|---|
| Moderation | 02/15/2025 16:11 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 295959 [PMWeb 7.2.0 Setting weak password] |
|---|
| Points | 20 |
|---|