Featured image of post CVE-2025-11322
Weak Password Policy Moderate NovoSGA Security WebApp

CVE-2025-11322

Weak Password Policy

CVE-2025-11322: Weak Password Policy Vulnerability in Create new User Function

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-11322

Summary

A Weak Password Policy vulnerability was identified in the user registration functionality of the Novosga application. This vulnerability allows the creation of accounts with extremely weak and predictable passwords, such as 123456. This exposes the platform to brute-force and credential stuffing attacks.

Details

The application fails to enforce a strong password policy. As a result, users can register accounts with trivial and well-known weak passwords, compromising the authentication security of the platform..

Vulnerable Component: User registration / password creation

PoC

  • Navigate to the user registration page after logged in with the Administrator account.
  • Create a new user account with the password 123456.
  • The application accepts the weak password without restrictions and creates the account successfully.

Impact

  • Increased risk of brute-force and credential stuffing attacks.
  • Unauthorized access to user or administrative accounts.
  • Privilege escalation through compromised accounts.
  • Reduced overall security posture of the application.

Reference

https://github.com/marcelomulder/CVE/blob/main/NovoSga/CVE-2025-11322.md

Finder

Marcelo Queiroz

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy