Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-521 (弱口令要求) — Vulnerability Class 111

111 vulnerabilities classified as CWE-521 (弱口令要求). AI Chinese analysis included.

CWE-521 represents a critical authentication weakness where software fails to enforce robust password policies, allowing users to select trivially guessable credentials. Attackers typically exploit this vulnerability through offline brute-force or dictionary attacks, rapidly compromising accounts by testing common words, simple patterns, or previously leaked password databases against the weak hashes. Because the system permits low-entropy secrets, the computational effort required to breach accounts is significantly reduced, facilitating unauthorized access and potential data exfiltration. To mitigate this risk, developers must implement strict validation mechanisms that mandate minimum length, complexity, and uniqueness requirements. By integrating real-time feedback and checking against known compromised password lists during registration, organizations can ensure users create strong, resilient passwords that withstand automated cracking attempts and protect sensitive system resources.

MITRE CWE Description
The product does not require that users should have strong passwords.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could easily guess user passwords and gain access user accounts.
Mitigations (4)
Architecture and DesignA product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes: Enforcement of a minimum and maximum length Restrictions against password reuse Restrictions against using common passwords Restrictions against using contextual string in the password (e.g., …
Architecture and DesignConsider a second authentication factor beyond the password, which prevents the password from being a single point of failure. See CWE-308 for further information.
ImplementationConsider implementing a password complexity meter to inform users when a chosen password meets the required attributes.
ImplementationPreviously, "password expiration" was widely advocated as a defense-in-depth approach to minimize the risk of weak passwords, and it has become a common practice. Password expiration requires a password to be changed within a fixed time window (such as every 90 days). However, this approach has significant limitations in the current threat landscape, and…
Effectiveness: Discouraged Common Practice
CVE IDTitleCVSSSeverityPublished
CVE-2025-46742 Improper Access Control — SEL Blueframe OS 4.3 Medium2025-05-12
CVE-2025-4534 SunGrow Logger1000 weak password — Logger1000 3.7 Low2025-05-11
CVE-2025-1993 IBM App Connect Enterprise Certified Container information disclosure — App Connect Enterprise Certified Container 5.1 Medium2025-05-09
CVE-2023-27272 IBM Aspera Console weak password requirements — Aspera Console 3.1 Low2025-04-14
CVE-2025-25211 Inaba Denki Sangyo CHOCO TEI WATCHER mini 安全漏洞 — CHOCO TEI WATCHER mini (IB-MCT001) 9.8 Critical2025-03-31
CVE-2025-1474 Weak Password Requirements in mlflow/mlflow — mlflow/mlflow 9.8 -2025-03-20
CVE-2024-41778 IBM Controller information disclosure — Controller 5.3 Medium2025-03-01
CVE-2025-1341 PMWeb Setting weak password — PMWeb 3.7 Low2025-02-16
CVE-2023-35907 IBM Aspera Faspex information disclosure — Aspera Faspex 5.9 Medium2025-01-29
CVE-2023-37398 IBM Aspera Faspex information disclosure — Aspera Faspex 5.9 Medium2025-01-29
CVE-2024-42173 HCL MyXalytics is affected by an improper password policy implementation vulnerability — DRYiCE MyXalytics 4.8 Medium2025-01-11
CVE-2025-22390 Optimizely EPiServer.CMS.Core 安全漏洞 — n/a 9.8 -2025-01-04
CVE-2024-48845 Weak Password Rules/Strength — ASPECT-Enterprise 9.4 Critical2024-12-05
CVE-2024-7293 Password policy for new users is not strong enough — Telerik Report Server 7.5 High2024-10-09
CVE-2024-47121 Weak Passwords Requirements in goTenna Pro — Pro 5.3 Medium2024-09-26
CVE-2024-45374 goTenna Pro ATAK Plugin Weak Password Requirements — Pro ATAK Plugin 5.3 Medium2024-09-26
CVE-2021-38133 Possible Improper authentication Vulnerability in OpenText eDirectory — eDirectory 7.4 High2024-09-12
CVE-2024-40697 IBM Common Licensing information disclosure — Common Licensing 7.5 High2024-08-13
CVE-2024-41683 Siemens Location Intelligence Perpetual 安全漏洞 — Location Intelligence family 5.3 Medium2024-08-13
CVE-2023-41923 Weak Password Requirements in Kiloview P1/P2 devices — P1/P2 7.2 High2024-07-02
CVE-2024-3263 Improper authentication in YMS VIS Pro — VIS Pro 9.8 Critical2024-05-13
CVE-2024-3735 Smart Office Main.aspx weak password — Smart Office 3.7 Low2024-04-13
CVE-2024-22355 IBM QRadar Suite information dislosure — QRadar Suite Products 5.9 Medium2024-03-03
CVE-2023-50305 IBM Engineering Requirements Management information disclosure — Engineering Requirements Management 5.1 Medium2024-03-01
CVE-2024-1346 Weak MySQL database root password in LaborOfficeFree — LaborOfficeFree 6.8 Medium2024-02-19
CVE-2024-1345 Weak MySQL database root password in LaborOfficeFree — LaborOfficeFree 6.8 Medium2024-02-19
CVE-2023-38369 IBM Security Access Manager Container information disclosure — Security Verify Access Appliance 6.2 Medium2024-02-07
CVE-2024-0676 Weak password requirement vulnerability in Lamassu Bitcoin ATM Douro machines — Bitcoin ATM Douro machines 5.6 Medium2024-01-30
CVE-2024-0347 SourceCodester Engineers Online Portal signup_teacher.php weak password — Engineers Online Portal 3.7 Low2024-01-09
CVE-2024-0188 RRJ Nueva Ecija Engineer Online Portal change_password_teacher.php weak password — Nueva Ecija Engineer Online Portal 3.1 Low2024-01-02

Vulnerabilities classified as CWE-521 (弱口令要求) represent 111 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.