Weak Password Hashing (P1): User passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force (hashcat).
CVSS v4.0
# Weak Password Hashing: 7.3 (High)
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N
Details
Vulnerability: Unsalted MD5 Password Hashing
File: apps/common/utils/common.py:30-38
def password_encrypt(row_password):
md5 = hashlib.md5()
md5.update(row_password.encode())
return md5.hexdigest()Used for real user password storage (confirmed in login, user creation, and password change flows). No salt means identical passwords produce identical hashes, and precomputed rainbow tables can crack them in seconds.
Weak Password Hashing (P1): User passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force (hashcat).
CVSS v4.0
# Weak Password Hashing: 7.3 (High)
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:NDetails
Vulnerability: Unsalted MD5 Password Hashing
File:
apps/common/utils/common.py:30-38Used for real user password storage (confirmed in login, user creation, and password change flows). No salt means identical passwords produce identical hashes, and precomputed rainbow tables can crack them in seconds.