Headline
GHSA-44w5-q257-8428: Exposure of password hashes in notrinos/notrinos-erp
The AP officers account is authorized to Backup and Restore the Database, Due to this he/she can download the backup and see the password hash of the System Administrator account, The weak hash (MD5) of the password can be easily cracked and get the admin password.
Exposure of password hashes in notrinos/notrinos-erp
High severity GitHub Reviewed Published Aug 22, 2022 • Updated Aug 30, 2022
Related news
CVE-2022-2921: changed password hash method from md5 to bcrypt. · notrinos/NotrinosERP@1b9903f
This will lead to privilege escalation from AP officers account to the System Administrator account. and gain more functionality such as Create/Update Companies. Install/Update Languages. Install/Activate Extensions. Install/Activate Themes. Install/Activate Chart of Accounts. Software Upgrade.