[
https://issues.apache.org/jira/browse/FINERACT-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gavin McDonald updated FINERACT-2127:
-------------------------------------
Description: [Redacted] (was: h2. Description
The application does not require that users should have strong passwords, which
makes it easier for attackers to compromise user accounts.
h2. Impact Details
The vulnerability may allow an attacker to guess users’ passwords and gain
unauthorized access to the application.
h2. Reproduction Steps
1- Login at [https://openmf.github.io/web-app/] or https://demo.mifos.io
2- Visit the {{Users}} section located in the {{Admin}} dropdown.
3- Click on {{{}Create User{}}}, fill all the details and make sure to user a
weak password ({{{}ex: read{}}})
4- Forward the request and notice the user has been created with weak password
i.e {{{}read{}}}.
Notice you have been successfully logged in with the above mentioned credentials
note: backend must also enforce the password policy
h2.
h2. Remediation Advice
Enforce a strong password policy. Don't permit weak passwords or passwords
based on dictionary words.)
> Weak Password Policy
> --------------------
>
> Key: FINERACT-2127
> URL: https://issues.apache.org/jira/browse/FINERACT-2127
> Project: Apache Fineract
> Issue Type: Bug
> Components: Client, Security
> Reporter: Peter Chen
> Priority: Minor
> Labels: security, web
>
> [Redacted]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
