Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-521 (弱口令要求) — Vulnerability Class 111

111 vulnerabilities classified as CWE-521 (弱口令要求). AI Chinese analysis included.

CWE-521 represents a critical authentication weakness where software fails to enforce robust password policies, allowing users to select trivially guessable credentials. Attackers typically exploit this vulnerability through offline brute-force or dictionary attacks, rapidly compromising accounts by testing common words, simple patterns, or previously leaked password databases against the weak hashes. Because the system permits low-entropy secrets, the computational effort required to breach accounts is significantly reduced, facilitating unauthorized access and potential data exfiltration. To mitigate this risk, developers must implement strict validation mechanisms that mandate minimum length, complexity, and uniqueness requirements. By integrating real-time feedback and checking against known compromised password lists during registration, organizations can ensure users create strong, resilient passwords that withstand automated cracking attempts and protect sensitive system resources.

MITRE CWE Description
The product does not require that users should have strong passwords.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could easily guess user passwords and gain access user accounts.
Mitigations (4)
Architecture and DesignA product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes: Enforcement of a minimum and maximum length Restrictions against password reuse Restrictions against using common passwords Restrictions against using contextual string in the password (e.g., …
Architecture and DesignConsider a second authentication factor beyond the password, which prevents the password from being a single point of failure. See CWE-308 for further information.
ImplementationConsider implementing a password complexity meter to inform users when a chosen password meets the required attributes.
ImplementationPreviously, "password expiration" was widely advocated as a defense-in-depth approach to minimize the risk of weak passwords, and it has become a common practice. Password expiration requires a password to be changed within a fixed time window (such as every 90 days). However, this approach has significant limitations in the current threat landscape, and…
Effectiveness: Discouraged Common Practice
CVE IDTitleCVSSSeverityPublished
CVE-2023-7053 PHPGurukul Online Notes Sharing System signup.php weak password — Online Notes Sharing System 3.1 Low2023-12-22
CVE-2023-41353 Chunghwa Telecom NOKIA G-040W-Q - Weak Password Requirements — NOKIA G-040W-Q 8.8 High2023-11-03
CVE-2023-40707 Weak password requirements in OPTO 22 SNAP PAC S1 Built-in Web Server — SNAP PAC S1 8.6 High2023-08-24
CVE-2023-4125 Weak Password Requirements in answerdev/answer — answerdev/answer 7.5 -2023-08-03
CVE-2023-34995 PiiGAB M-Bus Weak Password Requirements — M-Bus SoftwarePack 7.5 High2023-07-06
CVE-2023-34240 Weak passwords allowed in cloudexplorer-lite — CloudExplorer-Lite 6.5 Medium2023-06-27
CVE-2023-3423 Weak Password Requirements in cloudexplorer-dev/cloudexplorer-lite — cloudexplorer-dev/cloudexplorer-lite 9.8 -2023-06-27
CVE-2023-2060 Authentication bypass vulnerability in MELSEC iQ-R Series / iQ-F Series EtherNet/IP Modules — MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 7.5 High2023-06-02
CVE-2023-31098 Apache InLong: Weak Password Implementation in InLong — Apache InLong 7.4 -2023-05-22
CVE-2023-2160 Weak Password Requirements in modoboa/modoboa — modoboa/modoboa 6.3 Medium2023-04-18
CVE-2023-2106 Weak Password Requirements in janeczku/calibre-web — janeczku/calibre-web 9.8 -2023-04-15
CVE-2022-34333 IBM Sterling Order Management information disclosure — Sterling Order Management 5.9 Medium2023-04-07
CVE-2023-1753 Weak Password Requirements in thorsten/phpmyfaq — thorsten/phpmyfaq 5.5 Medium2023-03-31
CVE-2023-0793 Weak Password Requirements in thorsten/phpmyfaq — thorsten/phpmyfaq 7.1 High2023-02-12
CVE-2023-0641 PHPGurukul Employee Leaves Management System changepassword.php weak password — Employee Leaves Management System 3.7 Low2023-02-02
CVE-2022-32513 Schneider Electric C-Bus Home Automation 安全漏洞 — C-Bus Network Automation Controller, LSS5500NAC 9.8 Critical2023-01-30
CVE-2023-0564 Weak Password Requirements in froxlor/froxlor — froxlor/froxlor 5.4 Medium2023-01-29
CVE-2023-0569 Weak Password Requirements in publify/publify — publify/publify 7.5 -2023-01-29
CVE-2023-0307 Weak Password Requirements in thorsten/phpmyfaq — thorsten/phpmyfaq 8.8 -2023-01-15
CVE-2023-22451 Weak password requirements in Kiwi TCMS — Kiwi 6.5 Medium2023-01-02
CVE-2022-45482 thisAAY Lazy Mouse 安全漏洞 — Lazy Mouse 9.8 -2022-12-02
CVE-2022-3754 Weak Password Requirements in thorsten/phpmyfaq — thorsten/phpmyfaq 8.8 -2022-10-29
CVE-2022-3376 Weak Password Requirements in ikus060/rdiffweb — ikus060/rdiffweb 9.8 -2022-10-06
CVE-2022-3326 Weak Password Requirements in ikus060/rdiffweb — ikus060/rdiffweb 9.8 -2022-09-28
CVE-2022-3268 Weak Password Requirements in ikus060/minarca — ikus060/minarca 9.8 -2022-09-22
CVE-2022-3179 Weak Password Requirements in ikus060/rdiffweb — ikus060/rdiffweb 9.8 -2022-09-13
CVE-2022-27558 HCL iNotes is susceptible to a Broken Password Strength Checks vulnerability. — HCL iNotes 5.9 Medium2022-08-29
CVE-2022-2927 Weak Password Requirements in notrinos/notrinoserp — notrinos/notrinoserp 9.8 -2022-08-22
CVE-2022-36301 Bosch BF-OS 安全漏洞 — BF-OS 9.8 Critical2022-08-01
CVE-2022-1668 Secheron SEPCOS Control and Protection Relay — SEPCOS Control and Protection Relay firmware package 9.8 Critical2022-06-24

Vulnerabilities classified as CWE-521 (弱口令要求) represent 111 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.