Password strength checks were not always checked.

by Maurits van Rees published 2020/01/21 15:36:00 GMT+0, last modified 2020-01-24T15:20:07+00:00

Versions affected

  • 5.2.0
  • 5.1.6
  • 5.1.5
  • 5.1.4
  • 5.1.2
  • 5.1.1
  • 5.1
  • 5.1rc2
  • 5.1rc1
  • 5.1b4
  • 5.1b3
  • 5.1b2
  • 5.1a2
  • 5.1a1
  • 5.0.10
  • 5.0.9
  • 5.0.8
  • 5.0.7
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.1
  • 5.0
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 4.3.19
  • 4.3.18
  • 4.3.17
  • 4.3.15
  • 4.3.14
  • 4.3.12
  • 4.3.11
  • 4.3.10
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.2
  • 4.3.1
  • 4.3

Vulnerability

Some places that should have checked the strength of a password, did not do this. When registering yourself anonymously, it was checked correctly. But depending on your Plone version, the password reset form or the admin form for adding a new user missed this check.

Current status

Patched

Credits

Discovered by

  • Ben Kummer

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team