Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

CVE-2023-43650 (GCVE-0-2023-43650)

Vulnerability from cvelistv5 – Published: 2023-09-27 18:33 – Updated: 2025-03-25 19:24
VLAI
Title
Non-MFA account takeover via brute-force attack on weak password reset code in jumpserver
Summary
JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code, ranging from 000000 to 999999, to facilitate the password reset. Although the code is only available in 1 minute, this window potentially allows for up to 1,000,000 validation attempts. This issue has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
Impacted products
Vendor Product Version
jumpserver jumpserver Affected: >= 2.0.0, < 2.28.20
Affected: >= 3.0.0, < 3.7.1
Create a notification for this product.
jumpserver jumpserver Affected: 2.0.0 , < 2.28.20 (custom)
Affected: 3.0.0 , < 3.7.1 (custom)
    cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:44:43.734Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-mwx4-8fwc-2xvw",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-mwx4-8fwc-2xvw"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:jumpserver:jumpserver:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "jumpserver",
            "vendor": "jumpserver",
            "versions": [
              {
                "lessThan": "2.28.20",
                "status": "affected",
                "version": "2.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "3.7.1",
                "status": "affected",
                "version": "3.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-43650",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-23T18:52:48.677132Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-23T19:06:26.375Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jumpserver",
          "vendor": "jumpserver",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.28.20"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.7.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "JumpServer is an open source bastion host. The verification code for resetting user\u0027s password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code, ranging from 000000 to 999999, to facilitate the password reset. Although the code is only available in 1 minute, this window potentially allows for up to 1,000,000 validation attempts. This issue has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-25T19:24:24.277Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-mwx4-8fwc-2xvw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-mwx4-8fwc-2xvw"
        },
        {
          "name": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2"
        }
      ],
      "source": {
        "advisory": "GHSA-mwx4-8fwc-2xvw",
        "discovery": "UNKNOWN"
      },
      "title": "Non-MFA account takeover via brute-force attack on weak password reset code in jumpserver"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-43650",
    "datePublished": "2023-09-27T18:33:46.034Z",
    "dateReserved": "2023-09-20T15:35:38.147Z",
    "dateUpdated": "2025-03-25T19:24:24.277Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-42481 (GCVE-0-2023-42481)

Vulnerability from cvelistv5 – Published: 2023-12-12 01:00 – Updated: 2024-09-28 22:13
VLAI
Title
Improper Access Control vulnerability in SAP Commerce Cloud
Summary
In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
sap
Impacted products
Vendor Product Version
SAP_SE SAP Commerce Cloud Affected: HY_COM 1905
Affected: HY_COM 2005
Affected: HY_COM2105
Affected: HY_COM 2011
Affected: HY_COM 2205
Affected: COM_CLOUD 2211
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:23:39.286Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://me.sap.com/notes/3394567"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP Commerce Cloud",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "HY_COM 1905"
            },
            {
              "status": "affected",
              "version": "HY_COM 2005"
            },
            {
              "status": "affected",
              "version": "HY_COM2105"
            },
            {
              "status": "affected",
              "version": "HY_COM 2011"
            },
            {
              "status": "affected",
              "version": "HY_COM 2205"
            },
            {
              "status": "affected",
              "version": "COM_CLOUD 2211"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.\u003c/p\u003e"
            }
          ],
          "value": "In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-28T22:13:37.167Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3394567"
        },
        {
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Improper Access Control vulnerability in SAP Commerce Cloud",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2023-42481",
    "datePublished": "2023-12-12T01:00:19.249Z",
    "dateReserved": "2023-09-11T07:15:13.775Z",
    "dateUpdated": "2024-09-28T22:13:37.167Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-35717 (GCVE-0-2023-35717)

Vulnerability from cvelistv5 – Published: 2024-05-03 01:57 – Updated: 2024-09-18 18:28
VLAI
Title
TP-Link Tapo C210 Password Recovery Authentication Bypass Vulnerability
Summary
TP-Link Tapo C210 Password Recovery Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of TP-Link Tapo C210 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password recovery mechanism. The issue results from reliance upon the secrecy of the password derivation algorithm when generating a recovery password. An attacker can leverage this vulnerability to bypass authentication on the system. . Was ZDI-CAN-20484.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
zdi
References
Impacted products
Vendor Product Version
TP-Link Tapo C210 Affected: 1.3.0 Build 220830 Rel.69909n (release 2022-09-22)
Create a notification for this product.
Date Public
2023-07-05 16:55
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-35717",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-18T13:26:17.142708Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-18T13:26:26.400Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:30:44.371Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "ZDI-23-895",
            "tags": [
              "x_research-advisory",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-895/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Tapo C210",
          "vendor": "TP-Link",
          "versions": [
            {
              "status": "affected",
              "version": "1.3.0 Build 220830 Rel.69909n (release 2022-09-22)"
            }
          ]
        }
      ],
      "dateAssigned": "2023-06-15T20:31:13.910Z",
      "datePublic": "2023-07-05T16:55:16.320Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "TP-Link Tapo C210 Password Recovery Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of TP-Link Tapo C210 IP cameras. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the password recovery mechanism. The issue results from reliance upon the secrecy of the password derivation algorithm when generating a recovery password. An attacker can leverage this vulnerability to bypass authentication on the system.\n. Was ZDI-CAN-20484."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-18T18:28:52.945Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-23-895",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-895/"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Cyrille Chatras"
      },
      "title": "TP-Link Tapo C210 Password Recovery Authentication Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2023-35717",
    "datePublished": "2024-05-03T01:57:38.702Z",
    "dateReserved": "2023-06-15T20:23:02.752Z",
    "dateUpdated": "2024-09-18T18:28:52.945Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-35134 (GCVE-0-2023-35134)

Vulnerability from cvelistv5 – Published: 2023-07-19 21:43 – Updated: 2024-10-28 14:30
VLAI
Title
Weintek Weincloud Weak Password Recovery Mechanism for Forgotten Password
Summary
Weintek Weincloud v0.13.6 could allow an attacker to reset a password with the corresponding account’s JWT token only.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
Impacted products
Vendor Product Version
Weintek Weincloud Affected: 0 , ≤ 0.13.6 (custom)
Create a notification for this product.
Date Public
2023-07-18 17:00
Credits
​Hank Chen (PSIRT and Threat Research of TXOne Networks) reported these vulnerabilities to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:23:59.280Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-35134",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-28T14:29:57.942492Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-28T14:30:07.804Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Weincloud",
          "vendor": "Weintek",
          "versions": [
            {
              "lessThanOrEqual": "0.13.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "\u200bHank Chen (PSIRT and Threat Research of TXOne Networks) reported these vulnerabilities to CISA."
        }
      ],
      "datePublic": "2023-07-18T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWeintek Weincloud v\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e0.13.6\u003c/span\u003e\n\n could allow an attacker to reset a password with the corresponding account\u2019s JWT token only.\u003c/span\u003e\n\n\u003c/span\u003e\n\n"
            }
          ],
          "value": "\n\n\nWeintek Weincloud v0.13.6\n\n could allow an attacker to reset a password with the corresponding account\u2019s JWT token only.\n\n\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-19T21:43:20.562Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003e\u200bWeintek has updated their account API to v0.13.8, which has fixed the issue. This fix does not require any action for users.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "\n\n\n\n\n\u200bWeintek has updated their account API to v0.13.8, which has fixed the issue. This fix does not require any action for users.\n\n\n\n\n"
        }
      ],
      "source": {
        "advisory": "ICSA-23-199-04",
        "discovery": "EXTERNAL"
      },
      "title": "Weintek Weincloud Weak Password Recovery Mechanism for Forgotten Password",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cp\u003e\u200bAdditional mitigations are recommended to help reduce risk:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u200bLog in on trusted computers if possible. Log out after usage on un-trusted ones.\u003c/li\u003e\u003cli\u003e\u200bOn the HMIs, if the online services are not used, set to offline mode for EasyAccess 2.0 or Dashboard services using system reserved addresses.\u003c/li\u003e\u003cli\u003e\u200bRegularly change passwords to reduce risks.\u003c/li\u003e\u003cli\u003e\u200bMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible- only applicable devices and/or systems have access to the internet.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "\n\u200bAdditional mitigations are recommended to help reduce risk:\n\n  *  \u200bLog in on trusted computers if possible. Log out after usage on un-trusted ones.\n  *  \u200bOn the HMIs, if the online services are not used, set to offline mode for EasyAccess 2.0 or Dashboard services using system reserved addresses.\n  *  \u200bRegularly change passwords to reduce risks.\n  *  \u200bMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible- only applicable devices and/or systems have access to the internet.\n\n\n\n\n\n"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2023-35134",
    "datePublished": "2023-07-19T21:43:20.562Z",
    "dateReserved": "2023-07-13T15:55:48.879Z",
    "dateUpdated": "2024-10-28T14:30:07.804Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-34357 (GCVE-0-2023-34357)

Vulnerability from cvelistv5 – Published: 2023-09-07 02:00 – Updated: 2024-09-26 19:50
VLAI
Title
Soar Cloud Ltd. HR Portal - Weak Password Recovery Mechanism for Forgotten Password
Summary
Soar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for Forgotten Password. The reset password link sent out through e-mail, and the link will remain valid after the password has been reset and after the expected expiration date. An attacker with access to the browser history or has the line can thus use the URL again to change the password in order to take over the account.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
Impacted products
Vendor Product Version
Soar Cloud Ltd. HR Portal Affected: 7.3.2023.0510
Affected: 7.3.2023.0705
Create a notification for this product.
Date Public
2023-09-15 01:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:10:06.630Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.twcert.org.tw/tw/cp-132-7347-2653e-1.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-34357",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T19:50:13.084761Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T19:50:30.068Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "HR Portal",
          "vendor": "Soar Cloud Ltd. ",
          "versions": [
            {
              "status": "affected",
              "version": "7.3.2023.0510"
            },
            {
              "status": "affected",
              "version": "7.3.2023.0705"
            }
          ]
        }
      ],
      "datePublic": "2023-09-15T01:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eSoar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for Forgotten Password. The reset password link sent out through e-mail, and the link will remain valid after the password has been reset and after the expected expiration date. An attacker with access to the browser history or has the line can thus use the URL again to change the password in order to take over the account.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\n\n"
            }
          ],
          "value": "\nSoar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for Forgotten Password. The reset password link sent out through e-mail, and the link will remain valid after the password has been reset and after the expected expiration date. An attacker with access to the browser history or has the line can thus use the URL again to change the password in order to take over the account.\n\n\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-50",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-50 Password Recovery Exploitation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-07T02:00:15.946Z",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "url": "https://www.twcert.org.tw/tw/cp-132-7347-2653e-1.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\nUpdate to\u0026nbsp;7.3.2023.0705\n\n\u003cbr\u003e"
            }
          ],
          "value": "\nUpdate to\u00a07.3.2023.0705\n\n\n"
        }
      ],
      "source": {
        "advisory": "TVN-202309001",
        "discovery": "EXTERNAL"
      },
      "title": "Soar Cloud Ltd. HR Portal - Weak Password Recovery Mechanism for Forgotten Password",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2023-34357",
    "datePublished": "2023-09-07T02:00:15.946Z",
    "dateReserved": "2023-06-02T08:28:37.821Z",
    "dateUpdated": "2024-09-26T19:50:30.068Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-30466 (GCVE-0-2023-30466)

Vulnerability from cvelistv5 – Published: 2023-04-28 10:06 – Updated: 2025-01-30 17:16
VLAI
Title
Authentication Bypass Vulnerability in Milesight Network Video Recorder (NVR)
Summary
This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to a weak password reset mechanism at the Milesight NVR web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http requests on the targeted device. Successful exploitation of this vulnerability could allow remote attacker to account takeover on the targeted device.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
Impacted products
Vendor Product Version
Milesight NVR MS-Nxxxx-xxG Affected: 77.X , < 77.9.0.18-r2 (custom)
Create a notification for this product.
Milesight NVR MS-Nxxxx-xxE Affected: 75.X , < 75.9.0.18-r2 (custom)
Create a notification for this product.
Milesight NVR MS-Nxxxx-xxT Affected: 72.X , < 72.9.0.18-r2 (custom)
Create a notification for this product.
Milesight NVR MS-Nxxxx-xxH Affected: 71.X , < 71.9.0.18-r2 (custom)
Create a notification for this product.
Milesight NVR MS-Nxxxx-xxC Affected: 73.X , < 73.9.0.18-r2 (custom)
Create a notification for this product.
Credits
This vulnerability is reported by Souvik Kandar and Arko Dhar from Redinent Innovations Engineering & Research Team, Karnataka, India.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:28:50.581Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2023-0121"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-30466",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-30T17:15:10.264699Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-30T17:16:05.788Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "NVR MS-Nxxxx-xxG",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThan": "77.9.0.18-r2",
              "status": "affected",
              "version": "77.X",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "NVR MS-Nxxxx-xxE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThan": "75.9.0.18-r2",
              "status": "affected",
              "version": "75.X",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "NVR MS-Nxxxx-xxT",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThan": "72.9.0.18-r2",
              "status": "affected",
              "version": "72.X",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "NVR MS-Nxxxx-xxH ",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThan": "71.9.0.18-r2",
              "status": "affected",
              "version": "71.X",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "NVR MS-Nxxxx-xxC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThan": "73.9.0.18-r2",
              "status": "affected",
              "version": "73.X",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "This vulnerability is reported by Souvik Kandar and Arko Dhar from Redinent Innovations Engineering \u0026 Research Team, Karnataka, India."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThis vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to a weak password reset mechanism at the Milesight NVR web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http requests on the targeted device.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could allow remote attacker to account takeover on the targeted device.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003e\u003c/b\u003e\u003c/p\u003e\n\n\n\n\n\n\u003cb\u003e\u003c/b\u003e\u003cb\u003e\u003c/b\u003e"
            }
          ],
          "value": "This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to a weak password reset mechanism at the Milesight NVR web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http requests on the targeted device.\n\nSuccessful exploitation of this vulnerability could allow remote attacker to account takeover on the targeted device.\n\n\n\n\n\n\n\n\n\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-50",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-50 Password Recovery Exploitation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T10:06:26.684Z",
        "orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
        "shortName": "CERT-In"
      },
      "references": [
        {
          "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2023-0121"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpdate\nMilesight NVR firmware to latest version \u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.milesight.com/support/download/firmware\"\u003ehttps://www.milesight.com/support/download/firmware\u003c/a\u003e\u003c/p\u003e\n\n\n\n\n\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "Update\nMilesight NVR firmware to latest version \u00a0\n\n https://www.milesight.com/support/download/firmware https://www.milesight.com/support/download/firmware \n\n\n\n\n\n\n\n\n\n\n"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Authentication Bypass Vulnerability in Milesight Network Video Recorder (NVR)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
    "assignerShortName": "CERT-In",
    "cveId": "CVE-2023-30466",
    "datePublished": "2023-04-28T10:06:26.684Z",
    "dateReserved": "2023-04-10T10:20:17.200Z",
    "dateUpdated": "2025-01-30T17:16:05.788Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-7264 (GCVE-0-2023-7264)

Vulnerability from cvelistv5 – Published: 2024-06-11 03:16 – Updated: 2026-04-08 17:33
VLAI
Title
Build App Online <= 1.0.22 - Account Takeover via Weak Password Reset Mechanism
Summary
The Build App Online plugin for WordPress is vulnerable to account takeover due to a weak password reset mechanism in all versions up to, and including, 1.0.22. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing an 4-digit numeric reset code.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
Impacted products
Vendor Product Version
hakeemnala Build App Online Affected: 0 , ≤ 1.0.22 (semver)
Create a notification for this product.
rahamsolutions build_app_online Affected: 0 , ≤ 1.0.21 (custom)
    cpe:2.3:a:rahamsolutions:build_app_online:*:*:*:*:*:wordpress:*:*
Create a notification for this product.
Credits
Ramuel Gall
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:rahamsolutions:build_app_online:*:*:*:*:*:wordpress:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "build_app_online",
            "vendor": "rahamsolutions",
            "versions": [
              {
                "lessThanOrEqual": "1.0.21",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-7264",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T12:57:14.135110Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-12T12:57:54.764Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:57:35.098Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6047ae6-b1b4-4b31-aa12-560927e1040b?source=cve"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3688"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3757"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Build App Online",
          "vendor": "hakeemnala",
          "versions": [
            {
              "lessThanOrEqual": "1.0.22",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ramuel Gall"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Build App Online plugin for WordPress is vulnerable to account takeover due to a weak password reset mechanism in all versions up to, and including, 1.0.22. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing an 4-digit numeric reset code."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:33:26.719Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6047ae6-b1b4-4b31-aa12-560927e1040b?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3688"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3757"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3201569%40build-app-online\u0026new=3201569%40build-app-online\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-12-27T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Build App Online \u003c= 1.0.22 - Account Takeover via Weak Password Reset Mechanism"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2023-7264",
    "datePublished": "2024-06-11T03:16:59.623Z",
    "dateReserved": "2024-05-28T14:43:04.373Z",
    "dateUpdated": "2026-04-08T17:33:26.719Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-7028 (GCVE-0-2023-7028)

Vulnerability from cvelistv5 – Published: 2024-01-12 13:56 – Updated: 2026-05-26 04:05
VLAI
Title
Weak Password Recovery Mechanism for Forgotten Password in GitLab
Summary
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
SSVC
Exploitation: active Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
Impacted products
Vendor Product Version
GitLab GitLab Affected: 16.1 , < 16.1.6 (semver)
Affected: 16.2 , < 16.2.9 (semver)
Affected: 16.3 , < 16.3.7 (semver)
Affected: 16.4 , < 16.4.5 (semver)
Affected: 16.5 , < 16.5.6 (semver)
Affected: 16.6 , < 16.6.4 (semver)
Affected: 16.7 , < 16.7.2 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Thanks [asterion04](https://hackerone.com/asterion04) for reporting this vulnerability through our HackerOne bug bounty program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-7028",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-02T17:50:56.921719Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2024-05-01",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7028"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:05:28.992Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7028"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2024-05-01T00:00:00.000Z",
            "value": "CVE-2023-7028 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-19T07:48:03.820Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "GitLab Issue #436084",
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/436084"
          },
          {
            "name": "HackerOne Bug Bounty Report #2293343",
            "tags": [
              "technical-description",
              "exploit",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/2293343"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/critical-gitlab-account-takeover-vulnerability-cve-2023-7028"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "16.1.6",
              "status": "affected",
              "version": "16.1",
              "versionType": "semver"
            },
            {
              "lessThan": "16.2.9",
              "status": "affected",
              "version": "16.2",
              "versionType": "semver"
            },
            {
              "lessThan": "16.3.7",
              "status": "affected",
              "version": "16.3",
              "versionType": "semver"
            },
            {
              "lessThan": "16.4.5",
              "status": "affected",
              "version": "16.4",
              "versionType": "semver"
            },
            {
              "lessThan": "16.5.6",
              "status": "affected",
              "version": "16.5",
              "versionType": "semver"
            },
            {
              "lessThan": "16.6.4",
              "status": "affected",
              "version": "16.6",
              "versionType": "semver"
            },
            {
              "lessThan": "16.7.2",
              "status": "affected",
              "version": "16.7",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks [asterion04](https://hackerone.com/asterion04) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T04:05:15.369Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #436084",
          "tags": [
            "issue-tracking",
            "permissions-required"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/436084"
        },
        {
          "name": "HackerOne Bug Bounty Report #2293343",
          "tags": [
            "technical-description",
            "exploit"
          ],
          "url": "https://hackerone.com/reports/2293343"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 16.7.2, 16.6.4, 16.5.6, 16.4.5, 16.3.7, 16.2.9, 16.1.6 or above."
        }
      ],
      "title": "Weak Password Recovery Mechanism for Forgotten Password in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2023-7028",
    "datePublished": "2024-01-12T13:56:41.726Z",
    "dateReserved": "2023-12-20T20:30:37.127Z",
    "dateUpdated": "2026-05-26T04:05:15.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-5959 (GCVE-0-2023-5959)

Vulnerability from cvelistv5 – Published: 2023-11-11 09:00 – Updated: 2024-08-02 08:14
VLAI
Title
Byzoro Smart S85F Management Platform login.php password recovery
Summary
A vulnerability, which was classified as problematic, was found in Byzoro Smart S85F Management Platform V31R02B10-01. Affected is an unknown function of the file /login.php. The manipulation of the argument txt_newpwd leads to weak password recovery. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-244992. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.244992 vdb-entrytechnical-description
https://vuldb.com/?ctiid.244992 signaturepermissions-required
https://vuldb.com/?submit.232562 third-party-advisory
https://github.com/Changboqian/cve/blob/main/rese… exploit
Impacted products
Credits
changboqian (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:14:25.138Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VDB-244992 | Byzoro Smart S85F Management Platform login.php password recovery",
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.244992"
          },
          {
            "name": "VDB-244992 | CTI Indicators (IOB, IOC, TTP, IOA)",
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.244992"
          },
          {
            "name": "Submit #232562 | yzro Networks Smart S85F management platform has a vulnerability in improper password reset",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?submit.232562"
          },
          {
            "tags": [
              "exploit",
              "x_transferred"
            ],
            "url": "https://github.com/Changboqian/cve/blob/main/reset_password_improperly.md"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Smart S85F Management Platform",
          "vendor": "Byzoro",
          "versions": [
            {
              "status": "affected",
              "version": "V31R02B10-01"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "changboqian (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as problematic, was found in Byzoro Smart S85F Management Platform V31R02B10-01. Affected is an unknown function of the file /login.php. The manipulation of the argument txt_newpwd leads to weak password recovery. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-244992. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in Byzoro Smart S85F Management Platform V31R02B10-01 gefunden. Sie wurde als problematisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Datei /login.php. Dank der Manipulation des Arguments txt_newpwd mit unbekannten Daten kann eine weak password recovery-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 3.3,
            "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640 Weak Password Recovery",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-09T08:34:24.035Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-244992 | Byzoro Smart S85F Management Platform login.php password recovery",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.244992"
        },
        {
          "name": "VDB-244992 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.244992"
        },
        {
          "name": "Submit #232562 | yzro Networks Smart S85F management platform has a vulnerability in improper password reset",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.232562"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/Changboqian/cve/blob/main/reset_password_improperly.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-11-05T00:00:00.000Z",
          "value": "CVE reserved"
        },
        {
          "lang": "en",
          "time": "2023-11-11T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2023-11-11T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-04-09T09:06:55.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Byzoro Smart S85F Management Platform login.php password recovery"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2023-5959",
    "datePublished": "2023-11-11T09:00:06.698Z",
    "dateReserved": "2023-11-05T16:46:30.333Z",
    "dateUpdated": "2024-08-02T08:14:25.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-5840 (GCVE-0-2023-5840)

Vulnerability from cvelistv5 – Published: 2023-10-29 00:00 – Updated: 2024-09-06 19:33
VLAI
Title
Weak Password Recovery Mechanism for Forgotten Password in linkstackorg/linkstack
Summary
Weak Password Recovery Mechanism for Forgotten Password in GitHub repository linkstackorg/linkstack prior to v4.2.9.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
Impacted products
Vendor Product Version
linkstackorg linkstackorg/linkstack Affected: unspecified , < v4.2.9 (custom)
Create a notification for this product.
linkstack linkstack Affected: 0 , < 4.2.9 (custom)
    cpe:2.3:a:linkstack:linkstack:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:14:24.315Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.com/bounties/8042d8c3-650e-4c0d-9146-d9ccf6082b30"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/linkstackorg/linkstack/commit/fe7b99eae88f9e4c4cd4b00bab372cbf4b584b16"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:linkstack:linkstack:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linkstack",
            "vendor": "linkstack",
            "versions": [
              {
                "lessThan": "4.2.9",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5840",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-06T19:28:46.680285Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-06T19:33:23.795Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "linkstackorg/linkstack",
          "vendor": "linkstackorg",
          "versions": [
            {
              "lessThan": "v4.2.9",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Weak Password Recovery Mechanism for Forgotten Password in GitHub repository linkstackorg/linkstack prior to v4.2.9."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-29T00:00:20.031Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/8042d8c3-650e-4c0d-9146-d9ccf6082b30"
        },
        {
          "url": "https://github.com/linkstackorg/linkstack/commit/fe7b99eae88f9e4c4cd4b00bab372cbf4b584b16"
        }
      ],
      "source": {
        "advisory": "8042d8c3-650e-4c0d-9146-d9ccf6082b30",
        "discovery": "EXTERNAL"
      },
      "title": "Weak Password Recovery Mechanism for Forgotten Password in linkstackorg/linkstack"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2023-5840",
    "datePublished": "2023-10-29T00:00:20.031Z",
    "dateReserved": "2023-10-29T00:00:07.451Z",
    "dateUpdated": "2024-09-06T19:33:23.795Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.