Microweber CMS Weak Password Requirements Vulnerability

A vulnerability exists in Microweber CMS version 2.0, which allows users to set weak passwords during the password reset process. The application fails to enforce minimum password length or complexity, enabling the creation of single-character passwords. This weakness poses a significant risk of account compromise, including administrative accounts.

Impact

The vulnerability allows users to create single-character passwords, leading to a high risk of account takeover. This issue affects the security of all deployed Microweber sites and could compromise admin or privileged accounts.

Reproduction

To reproduce this vulnerability, register an account on the Microweber website and log out. Then, initiate a password reset by clicking 'Forgot Password' and follow the instructions to receive a password reset email. After receiving the email, follow the reset link and enter a single-character password. Submit the form, and the login will succeed with the weak password.

Remediation

It is recommended to enforce a minimum password length of at least 8 characters, require password complexity by including uppercase letters, lowercase letters, digits, and special characters, and validate passwords on the server side during account creation and password reset.