CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-25HW-9R4R-54W4
Vulnerability from github – Published: 2026-05-09 03:31 – Updated: 2026-05-09 03:31The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected.
{
"affected": [],
"aliases": [
"CVE-2026-7652"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-09T03:16:15Z",
"severity": "MODERATE"
},
"details": "The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer\u0027s email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow\u0027s ability to overwrite an existing customer\u0027s email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected.",
"id": "GHSA-25hw-9r4r-54w4",
"modified": "2026-05-09T03:31:22Z",
"published": "2026-05-09T03:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7652"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/latepoint.php#L1165"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/customer_helper.php#L238"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1940"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1972"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/latepoint.php#L1165"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L238"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1940"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1972"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/latepoint.php#L1165"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L238"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1940"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1972"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3522933/latepoint/trunk/latepoint.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.5.0\u0026new_path=%2Flatepoint/tags/5.5.1"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdaa32cd-a148-4554-9fd5-f5b0a5b2d1c3?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2FV7-MV57-WHF5
Vulnerability from github – Published: 2025-10-24 00:30 – Updated: 2025-10-24 00:30A weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery question.
{
"affected": [],
"aliases": [
"CVE-2025-61977"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-23T22:15:48Z",
"severity": "HIGH"
},
"details": "A weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery question.",
"id": "GHSA-2fv7-mv57-whf5",
"modified": "2025-10-24T00:30:53Z",
"published": "2025-10-24T00:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61977"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json"
},
{
"type": "WEB",
"url": "https://support.automationdirect.com/docs/securityconsiderations.pdf"
},
{
"type": "WEB",
"url": "https://www.automationdirect.com/support/software-downloads"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2FWF-JC53-G325
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45Certain NETGEAR devices are affected by password reset by an unauthenticated attacker. This affects RBK852 before 3.2.10.11, RBK853 before 3.2.10.11, RBR854 before 3.2.10.11, RBR850 before 3.2.10.11, RBS850 before 3.2.10.11, CBR40 before 2.5.0.10, R7000 before 1.0.11.116, R6900P before 1.3.2.126, R7900 before 1.0.4.38, R7960P before 1.4.1.66, R8000 before 1.0.4.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX75 before 1.0.3.102, RAX80 before 1.0.3.102, and R7000P before 1.3.2.126.
{
"affected": [],
"aliases": [
"CVE-2021-29080"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-23T07:15:00Z",
"severity": "HIGH"
},
"details": "Certain NETGEAR devices are affected by password reset by an unauthenticated attacker. This affects RBK852 before 3.2.10.11, RBK853 before 3.2.10.11, RBR854 before 3.2.10.11, RBR850 before 3.2.10.11, RBS850 before 3.2.10.11, CBR40 before 2.5.0.10, R7000 before 1.0.11.116, R6900P before 1.3.2.126, R7900 before 1.0.4.38, R7960P before 1.4.1.66, R8000 before 1.0.4.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX75 before 1.0.3.102, RAX80 before 1.0.3.102, and R7000P before 1.3.2.126.",
"id": "GHSA-2fwf-jc53-g325",
"modified": "2022-05-24T17:45:08Z",
"published": "2022-05-24T17:45:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29080"
},
{
"type": "WEB",
"url": "https://kb.netgear.com/000063007/Security-Advisory-for-Pre-authentication-Password-Reset-on-Some-Routers-and-WiFi-Systems-PSV-2019-0150"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2G5R-9GQC-W68V
Vulnerability from github – Published: 2026-05-31 06:31 – Updated: 2026-05-31 06:31A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controllers/Login.php of the component Forgot Password Endpoint. The manipulation of the argument email results in weak password recovery. The attack can be launched remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-10169"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-31T05:16:24Z",
"severity": "LOW"
},
"details": "A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controllers/Login.php of the component Forgot Password Endpoint. The manipulation of the argument email results in weak password recovery. The attack can be launched remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-2g5r-9gqc-w68v",
"modified": "2026-05-31T06:31:49Z",
"published": "2026-05-31T06:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10169"
},
{
"type": "WEB",
"url": "https://github.com/OUSL-GROUP-BrinaryBrains/School-Student-Management-System/issues/26"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/819395"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367423"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367423/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2H3V-69MW-9J56
Vulnerability from github – Published: 2026-04-16 18:31 – Updated: 2026-04-16 18:31Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability, leading to unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2025-36579"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-16T17:16:54Z",
"severity": "MODERATE"
},
"details": "Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability, leading to unauthorized access.",
"id": "GHSA-2h3v-69mw-9j56",
"modified": "2026-04-16T18:31:22Z",
"published": "2026-04-16T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36579"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000300450/dsa-2025-153"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2HP9-3XFR-R9W2
Vulnerability from github – Published: 2023-04-27 03:30 – Updated: 2025-01-31 21:35An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the password of the corresponding user. The token expires only 3 hours after issuance and is sent as a query parameter when resetting. An attacker with access to the browser history can thus use the token again to change the password in order to take over the account.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Serenity.Net.Core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Serenity.Net.Web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-31287"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-27T17:09:21Z",
"nvd_published_at": "2023-04-27T03:15:10Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the password of the corresponding user. The token expires only 3 hours after issuance and is sent as a query parameter when resetting. An attacker with access to the browser history can thus use the token again to change the password in order to take over the account.",
"id": "GHSA-2hp9-3xfr-r9w2",
"modified": "2025-01-31T21:35:22Z",
"published": "2023-04-27T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31287"
},
{
"type": "WEB",
"url": "https://github.com/serenity-is/Serenity/commit/11b9d267f840513d04b4f4d4876de7823a6e48d2"
},
{
"type": "PACKAGE",
"url": "https://github.com/serenity-is/Serenity"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/172648"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/172648/Serenity-StartSharp-Software-File-Upload-XSS-User-Enumeration-Reusable-Tokens.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/May/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insufficient token expiration in Serenity"
}
GHSA-2M59-X3QC-R6MM
Vulnerability from github – Published: 2024-10-25 09:32 – Updated: 2024-11-05 18:32The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.3.7. This is due to the verify_otp_forgot_password() and update_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.
{
"affected": [],
"aliases": [
"CVE-2024-9302"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-25T07:15:05Z",
"severity": "HIGH"
},
"details": "The App Builder \u2013 Create Native Android \u0026 iOS Apps On The Flight plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.3.7. This is due to the verify_otp_forgot_password() and update_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.",
"id": "GHSA-2m59-x3qc-r6mm",
"modified": "2024-11-05T18:32:01Z",
"published": "2024-10-25T09:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9302"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.3.1/includes/Di/Service/Auth/ForgotPassword.php#L196"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.3.1/includes/Di/Service/Auth/ForgotPassword.php#L247"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3161215"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0eb9d676-4fa0-4bdc-af44-5d7e1dd8c6e6?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2MFV-2F5W-P9FQ
Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-23 00:03pearweb < 1.32 is suffers from a Weak Password Recovery Mechanism via include/users/passwordmanage.php.
{
"affected": [],
"aliases": [
"CVE-2022-27157"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-15T18:15:00Z",
"severity": "CRITICAL"
},
"details": "pearweb \u003c 1.32 is suffers from a Weak Password Recovery Mechanism via include/users/passwordmanage.php.",
"id": "GHSA-2mfv-2f5w-p9fq",
"modified": "2022-04-23T00:03:12Z",
"published": "2022-04-16T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27157"
},
{
"type": "WEB",
"url": "https://github.com/pear/pearweb/commit/6447c174a6b4bd76d28ecca8543cbd24bf394f99#diff-204452a70c5b0b0084097fcff6aee77c2c38cb77a41c4b2dd0065fda37a7489c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2MW7-F37Q-33MG
Vulnerability from github – Published: 2024-02-13 09:30 – Updated: 2024-02-13 09:30Dell PowerProtect Data Manager, version 19.15 and prior versions, contain a weak password recovery mechanism for forgotten passwords. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change
{
"affected": [],
"aliases": [
"CVE-2024-22454"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-13T08:16:35Z",
"severity": "HIGH"
},
"details": "\nDell PowerProtect Data Manager, version 19.15 and prior versions, contain a weak password recovery mechanism for forgotten passwords. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change\n\n",
"id": "GHSA-2mw7-f37q-33mg",
"modified": "2024-02-13T09:30:32Z",
"published": "2024-02-13T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22454"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000222025/dsa-2024-061-dell-power-protect-data-manager-update-for-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2PHX-W35G-X9VM
Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2024-04-23 23:41In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.7"
},
{
"fixed": "2.7.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.9"
},
{
"fixed": "2.9.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "3.1"
},
{
"fixed": "3.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-7038"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-23T23:41:16Z",
"nvd_published_at": "2017-01-20T08:59:00Z",
"severity": "HIGH"
},
"details": "In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.",
"id": "GHSA-2phx-w35g-x9vm",
"modified": "2024-04-23T23:41:16Z",
"published": "2022-05-13T01:12:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7038"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=339631"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93174"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Moodle Weak Password Recovery Mechanism for Forgotten Password"
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.