SYM_PY_0223 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Weak Password Requirements
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-521: Weak Password Requirements |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Setting a user's password to an empty string ('') instead of None or using set_unusable_password() leaves the account with a blank but valid password. This makes it possible for anyone to log in without a password.
Impact
If exploited, attackers could gain unauthorized access to user accounts simply by submitting an empty password. This exposes sensitive user data and can compromise the security of the entire application.