Main Vulnerability Database Vulnerabilities #VU24828

Weak password requirements in Plone - CVE-2020-7940

Published: February 3, 2020

Vulnerability identifier: #VU24828

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-7940

CWE-ID: CWE-521

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Plone

Affected software:
Plone

Detailed vulnerability description

The vulnerability allows an attacker to set weak passwords.

The vulnerability exists due to missing password strength checks on the password reset form or the admin form. A remote authenticated attacker can set weak passwords, leading to easier cracking.

How to mitigate CVE-2020-7940

Install updates from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2020/01/24/1
https://plone.org/security/hotfix/20200121
https://plone.org/security/hotfix/20200121/password-strength-checks-were-not-always-checked
https://www.openwall.com/lists/oss-security/2020/01/22/1

Weak password requirements in Plone - CVE-2020-7940

Detailed vulnerability description

How to mitigate CVE-2020-7940

Sources

Please verify you're human