CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-2QXR-Q4FF-F53J
Vulnerability from github – Published: 2024-11-28 18:38 – Updated: 2024-11-28 18:38The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2024-11103"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-28T10:15:06Z",
"severity": "CRITICAL"
},
"details": "The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
"id": "GHSA-2qxr-q4ff-f53j",
"modified": "2024-11-28T18:38:36Z",
"published": "2024-11-28T18:38:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11103"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-lost-password.php#L31"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-password-reset.php#L88"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3196011/contest-gallery/tags/24.0.8/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-lost-password.php?old=3190068\u0026old_path=contest-gallery%2Ftags%2F24.0.7%2Fv10%2Fv10-admin%2Fusers%2Ffrontend%2Flogin%2Fajax%2Fusers-login-check-ajax-lost-password.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0df7f413-2631-46d9-8c0b-d66f05a02c01?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2R4Q-H9QR-QQJP
Vulnerability from github – Published: 2023-08-21 03:30 – Updated: 2023-08-21 03:30A vulnerability was found in OpenRapid RapidCMS 1.3.1 and classified as critical. This issue affects some unknown processing of the file admin/run-movepass.php. The manipulation of the argument password/password2 leads to weak password recovery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 4dff387283060961c362d50105ff8da8ea40bcbe. It is recommended to apply a patch to fix this issue. The identifier VDB-237569 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-4448"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-21T02:15:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in OpenRapid RapidCMS 1.3.1 and classified as critical. This issue affects some unknown processing of the file admin/run-movepass.php. The manipulation of the argument password/password2 leads to weak password recovery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 4dff387283060961c362d50105ff8da8ea40bcbe. It is recommended to apply a patch to fix this issue. The identifier VDB-237569 was assigned to this vulnerability.",
"id": "GHSA-2r4q-h9qr-qqjp",
"modified": "2023-08-21T03:30:16Z",
"published": "2023-08-21T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4448"
},
{
"type": "WEB",
"url": "https://github.com/OpenRapid/rapidcms/issues/5"
},
{
"type": "WEB",
"url": "https://github.com/OpenRapid/rapidcms/commit/4dff387283060961c362d50105ff8da8ea40bcbe#diff-fc57d4c69cf5912c6edb5233c6df069a91106ebd481c115faf1ea124478b26d0"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.237569"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.237569"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2RRX-P33R-295R
Vulnerability from github – Published: 2025-03-13 12:30 – Updated: 2025-03-13 12:30This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An authenticated remote attacker with a valid login ID could exploit this vulnerability through vulnerable API endpoint which could lead to account takeover of targeted users.
{
"affected": [],
"aliases": [
"CVE-2025-29995"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-13T12:15:13Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An authenticated remote attacker with a valid login ID could exploit this vulnerability through vulnerable API endpoint which could lead to account takeover of targeted users.",
"id": "GHSA-2rrx-p33r-295r",
"modified": "2025-03-13T12:30:32Z",
"published": "2025-03-13T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29995"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0048"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2W46-VQ8H-98VH
Vulnerability from github – Published: 2025-11-14 20:42 – Updated: 2025-11-14 20:42Summary
When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email) remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email address.
PoC
- Log in to a Shopware account.
- Request a password reset for your current email address.
- Copy the password reset link but do not open it.
- Log back into your account.n
- Navigate to Account Settings → Email and change your email address.
- Use the previously copied reset link (from before the email change).
- The system allows password change using the old link.
Impact
Reproduced on Stable 6.6.10.7 and trunk.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.10.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.7.0.0"
},
{
"fixed": "6.7.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-14T20:42:24Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nWhen a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email) remains valid. An attacker with access to the old email inbox is potentially able to reset the customer\u2019s password even after the user changes their email address.\n\n### PoC\n\n1. Log in to a Shopware account.\n2. Request a password reset for your current email address.\n3. Copy the password reset link but do not open it.\n4. Log back into your account.n\n5. Navigate to Account Settings \u2192 Email and change your email address.\n6. Use the previously copied reset link (from before the email change).\n7. The system allows password change using the old link.\n\n### Impact\nReproduced on Stable 6.6.10.7 and trunk.",
"id": "GHSA-2w46-vq8h-98vh",
"modified": "2025-11-14T20:42:24Z",
"published": "2025-11-14T20:42:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/shopware"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.9"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/releases/tag/v6.7.4.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Shopware 6\u0027s password recovery link does not expire after email change"
}
GHSA-2WMJ-46RJ-QM2W
Vulnerability from github – Published: 2023-11-29 21:32 – Updated: 2023-11-30 15:03Impact
ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account.
Accounts with MFA or Passwordless enabled can not be taken over by this attack.
Patches
The patched ZITADEL versions verify, that the auth requests instance is retrieved by the requests original domain (from the Forwarded or X-Forwarded-Host headers if available). If the instance can't be found using the original host or the auth request can't be found within that instance, ZITADEL throws an error.
2.x versions are fixed on >= 2.41.6 2.40.x versions are fixed on >= 2.40.10 2.39.x versions are fixed on >= 2.39.9
The vulnerablility was introduced with 2.39.0.
Workarounds
A ZITADEL fronting proxy can be configured to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments.
References
None
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.39.0"
},
{
"fixed": "2.39.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.40.0"
},
{
"fixed": "2.40.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.41.0"
},
{
"fixed": "2.41.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49097"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-29T21:32:51Z",
"nvd_published_at": "2023-11-30T05:15:09Z",
"severity": "HIGH"
},
"details": "### Impact\n\nZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account.\n\nAccounts with MFA or Passwordless enabled can not be taken over by this attack.\n\n### Patches\n\nThe patched ZITADEL versions verify, that the auth requests instance is retrieved by the requests original domain (from the Forwarded or X-Forwarded-Host headers if available). If the instance can\u0027t be found using the original host or the auth request can\u0027t be found within that instance, ZITADEL throws an error.\n\n2.x versions are fixed on \u003e= [2.41.6](https://github.com/zitadel/zitadel/releases/tag/v2.41.6)\n2.40.x versions are fixed on \u003e= [2.40.10](https://github.com/zitadel/zitadel/releases/tag/v2.40.10)\n2.39.x versions are fixed on \u003e= [2.39.9](https://github.com/zitadel/zitadel/releases/tag/v2.39.9)\n\nThe vulnerablility was introduced with 2.39.0.\n\n### Workarounds\n\nA ZITADEL fronting proxy can be configured to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments.\n\n### References\n\nNone\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n",
"id": "GHSA-2wmj-46rj-qm2w",
"modified": "2023-11-30T15:03:20Z",
"published": "2023-11-29T21:32:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49097"
},
{
"type": "PACKAGE",
"url": "https://github.com/zitadel/zitadel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ZITADEL Account Takeover via Malicious Host Header Injection"
}
GHSA-327M-FMGH-C794
Vulnerability from github – Published: 2025-08-13 18:31 – Updated: 2025-08-14 15:30An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account password.
{
"affected": [],
"aliases": [
"CVE-2025-50594"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-13T17:15:27Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account password.",
"id": "GHSA-327m-fmgh-c794",
"modified": "2025-08-14T15:30:35Z",
"published": "2025-08-13T18:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50594"
},
{
"type": "WEB",
"url": "https://www.aecyberpro.com/blog/general/2025-04-30-Account-Takeover-BOLA-Hospital-Management-System-EMR"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-338P-FCWM-8FGC
Vulnerability from github – Published: 2026-05-05 15:31 – Updated: 2026-05-06 18:30An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.
{
"affected": [],
"aliases": [
"CVE-2026-34408"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T14:16:08Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.",
"id": "GHSA-338p-fcwm-8fgc",
"modified": "2026-05-06T18:30:30Z",
"published": "2026-05-05T15:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34408"
},
{
"type": "WEB",
"url": "https://herolab.usd.de/security-advisories/usd-2024-0002"
},
{
"type": "WEB",
"url": "https://www.gambio.de/forum/threads/wichtiges-security-update-2024-02-v1-0-fuer-gx4-v4-0-0-0-bis-v4-9-2-0.50896"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-34CX-HVM4-VX7J
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2026-02-10 14:17An issue was discovered in Mattermost Server before 4.0.0, 3.10.1, and 3.9.1. A password reset request was sometimes sent to an attacker-provided e-mail address.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.1-rc1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "3.10.0"
},
{
"fixed": "3.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-18908"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T22:48:56Z",
"nvd_published_at": "2020-06-19T20:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.1, and 3.9.1. A password reset request was sometimes sent to an attacker-provided e-mail address.",
"id": "GHSA-34cx-hvm4-vx7j",
"modified": "2026-02-10T14:17:04Z",
"published": "2022-05-24T17:21:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18908"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/59139390ae927af2e879dbacfe4dadb1adac97c0"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/d3bc11be3acd3a73e6358d958b91427e2584ea71"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/e5065cf7575ee05c040945a4b00b7fd90bf39b83"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Mattermost Server password reset email requests can be sent to attacker-provided email addresses"
}
GHSA-35FG-HJCR-J65F
Vulnerability from github – Published: 2022-02-09 21:51 – Updated: 2022-02-09 21:51Impact
It's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users.
Patches
The problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1.
Workarounds
There's no easy workaround other than applying the upgrade.
References
https://jira.xwiki.org/browse/XWIKI-18787
For more information
If you have any questions or comments about this advisory: * Open an issue in JIRA * Email us at XWiki Security Mailing list
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 13.5"
},
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web"
},
"ranges": [
{
"events": [
{
"introduced": "13.5RC1"
},
{
"fixed": "13.6RC1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.10.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23619"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-09T21:51:19Z",
"nvd_published_at": "2022-02-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nIt\u0027s possible to guess if a user has an account on the wiki by using the \"Forgot your password\" form, even if the wiki is closed to guest users.\n\n### Patches\nThe problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1.\n\n### Workarounds\nThere\u0027s no easy workaround other than applying the upgrade.\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-18787\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [JIRA](https://jira.xwiki.org)\n* Email us at [XWiki Security Mailing list](mailto:security@xwiki.org)\n",
"id": "GHSA-35fg-hjcr-j65f",
"modified": "2022-02-09T21:51:19Z",
"published": "2022-02-09T21:51:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23619"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-18787"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Information exposure in xwiki-platform"
}
GHSA-365P-96QV-XR7G
Vulnerability from github – Published: 2018-10-16 19:56 – Updated: 2022-04-26 19:06ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability".
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.1"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.HttpOverrides"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.1"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.AspNetCore.Server.Kestrel.Core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-0787"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:54:14Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka \"ASP.NET Core Elevation Of Privilege Vulnerability\".",
"id": "GHSA-365p-96qv-xr7g",
"modified": "2022-04-26T19:06:29Z",
"published": "2018-10-16T19:56:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0787"
},
{
"type": "WEB",
"url": "https://github.com/aspnet/Announcements/issues/295"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-365p-96qv-xr7g"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0787"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103282"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040525"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ASP.NET Core allow an elevation of privilege"
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.