Miggo Logo
Miggo Vulnerability Database
CVE-2022-2927

CVE-2022-2927: Missing password strength check in notrinos/notrinos-erp

7.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2022-2927
GHSA ID
GHSA-qhm8-69qh-g76j
EPSS Score
0.25455%
CWE
CWE-521
Published
8/23/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
notrinos/notrinos-erpcomposer< 0.70.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the conditional logic in the can_process function. Before the patch, password length validation (strlen($_POST['password']) < 4) was only triggered when editing existing users (!$new). The commit modified the condition to 'if ($new || (!$new && ...))' to include new user creation flows. This directly matches the CWE-521 weakness description and the advisory's statement about missing strength checks for new accounts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In v*rsions o* notrinos/notrinos*rp prior to *.* n*w ***ount p*sswor*s w*r* missin* * p*sswor* str*n*t* ****k.

Reasoning

T** vuln*r**ility st*ms *rom t** *on*ition*l lo*i* in t** **n_pro**ss *un*tion. ***or* t** p*t**, p*sswor* l*n*t* v*li**tion (strl*n($_POST['p*sswor*']) < *) w*s only tri***r** w**n **itin* *xistin* us*rs (!$n*w). T** *ommit mo*i*i** t** *on*ition to