Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-3743-C947-MRHR

Vulnerability from github – Published: 2024-12-10 03:31 – Updated: 2024-12-11 18:30
VLAI
Details

CrushFTP 10 before 10.8.3 and 11 before 11.2.3 mishandles password reset, leading to account takeover.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53552"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-10T02:15:17Z",
    "severity": "CRITICAL"
  },
  "details": "CrushFTP 10 before 10.8.3 and 11 before 11.2.3 mishandles password reset, leading to account takeover.",
  "id": "GHSA-3743-c947-mrhr",
  "modified": "2024-12-11T18:30:42Z",
  "published": "2024-12-10T03:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53552"
    },
    {
      "type": "WEB",
      "url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-37HX-4MCQ-WC3H

Vulnerability from github – Published: 2021-10-06 17:48 – Updated: 2021-10-06 14:09
VLAI
Summary
Weak Password Recovery Mechanism for Forgotten Password in Strapi
Details

In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "strapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-28128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-06T14:09:30Z",
    "nvd_published_at": "2021-05-06T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Strapi through 3.6.0, the admin panel allows the changing of one\u0027s own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.",
  "id": "GHSA-37hx-4mcq-wc3h",
  "modified": "2021-10-06T14:09:30Z",
  "published": "2021-10-06T17:48:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/issues/9657"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/releases/tag/v3.6.0"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-008.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Weak Password Recovery Mechanism for Forgotten Password in Strapi"
}

GHSA-3CHH-Q8FX-PC2W

Vulnerability from github – Published: 2024-06-16 18:31 – Updated: 2024-08-07 18:30
VLAI
Details

Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized password resets via the resetPassword API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38468"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-16T16:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized password resets via the resetPassword API.",
  "id": "GHSA-3chh-q8fx-pc2w",
  "modified": "2024-08-07T18:30:40Z",
  "published": "2024-06-16T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38468"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Pumpkin-ito/Cve-Vuln/blob/main/Guosen%20synthetic%20imaging%20system%20vulnerability.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3H52-R54R-FVGF

Vulnerability from github – Published: 2026-02-08 00:30 – Updated: 2026-04-07 18:31
VLAI
Details

macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-07T22:16:02Z",
    "severity": "CRITICAL"
  },
  "details": "macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim\u2019s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.",
  "id": "GHSA-3h52-r54r-fvgf",
  "modified": "2026-04-07T18:31:29Z",
  "published": "2026-02-08T00:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25858"
    },
    {
      "type": "WEB",
      "url": "https://github.com/macrozheng/mall/issues/946"
    },
    {
      "type": "WEB",
      "url": "https://www.macrozheng.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3H75-4G3F-6JHW

Vulnerability from github – Published: 2023-09-19 15:30 – Updated: 2024-04-04 07:44
VLAI
Details

Weak password recovery mechanism vulnerability in Fujitsu Arconte Áurea version 1.5.0.0, which exploitation could allow an attacker to perform a brute force attack on the emailed PIN number in order to change the password of a legitimate user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4096"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-19T14:15:25Z",
    "severity": "HIGH"
  },
  "details": "Weak password recovery mechanism vulnerability in Fujitsu Arconte \u00c1urea version 1.5.0.0,\u00a0which exploitation could allow an attacker to perform a brute force attack on the emailed PIN number in order to change the password of a legitimate user.",
  "id": "GHSA-3h75-4g3f-6jhw",
  "modified": "2024-04-04T07:44:02Z",
  "published": "2023-09-19T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4096"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fujitsu-arconte-aurea"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3PM3-FG5F-VGVX

Vulnerability from github – Published: 2026-07-11 09:34 – Updated: 2026-07-11 09:34
VLAI
Details

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers — the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-11T07:16:46Z",
    "severity": "HIGH"
  },
  "details": "The Essential Addons for Elementor \u2013 Popular Elementor Templates \u0026 Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers \u2014 the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator\u0027s password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.",
  "id": "GHSA-3pm3-fg5f-vgvx",
  "modified": "2026-07-11T09:34:18Z",
  "published": "2026-07-11T09:34:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15155"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.10/includes/Elements/Login_Register.php#L3333"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.10/includes/Traits/Login_Registration.php#L1271"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.10/includes/Traits/Login_Registration.php#L1622"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.5/includes/Elements/Login_Register.php#L3333"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.5/includes/Traits/Login_Registration.php#L1271"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.5/includes/Traits/Login_Registration.php#L1622"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3601504/essential-addons-for-elementor-lite/trunk/includes/Traits/Login_Registration.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fessential-addons-for-elementor-lite/tags/6.6.10\u0026new_path=%2Fessential-addons-for-elementor-lite/tags/6.6.11"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbe8cf6c-b1fa-4f71-bb63-c8b181e54882?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3QRQ-R688-VVH4

Vulnerability from github – Published: 2022-04-28 21:02 – Updated: 2022-04-28 21:02
VLAI
Summary
Multiple valid tokens for password reset in Shopware
Details

Impact

Multiple tokens for password reset could be requested. All tokens could be used to change the password. This makes it possible for an attacker to take over the victims account if s/he gains access to the victims email account and finds unused password reset token in the emails within the time frame of two hours.

Patches

We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9

For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html

References

https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/shopware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.4"
            },
            {
              "fixed": "5.7.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-28T21:02:17Z",
    "nvd_published_at": "2022-04-28T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nMultiple tokens for password reset could be requested. All tokens could be used to change the password.\nThis makes it possible for an attacker to take over the victims account if s/he gains access to the victims email account and finds unused password reset token in the emails within the time frame of two hours.\n\n### Patches\nWe recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/en/changelog-sw5/#5-7-9\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022",
  "id": "GHSA-3qrq-r688-vvh4",
  "modified": "2022-04-28T21:02:17Z",
  "published": "2022-04-28T21:02:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24892"
    },
    {
      "type": "WEB",
      "url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/shopware"
    },
    {
      "type": "WEB",
      "url": "https://www.shopware.com/en/changelog-sw5/#5-7-9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Multiple valid tokens for password reset in Shopware"
}

GHSA-42XW-2V8P-RRF7

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:26
VLAI
Details

An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the victim has started a password-reset process (pass_reset.php, password_reset.php, XDUser.php) in the past few minutes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-02T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the victim has started a password-reset process (pass_reset.php, password_reset.php, XDUser.php) in the past few minutes.",
  "id": "GHSA-42xw-2v8p-rrf7",
  "modified": "2024-04-04T00:26:04Z",
  "published": "2022-05-24T16:45:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grymer/CVE/blob/master/CVE-2018-16988.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-434R-HJ47-RPJJ

Vulnerability from github – Published: 2026-03-20 06:31 – Updated: 2026-03-20 06:31
VLAI
Details

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect url supplied via the 'rcp_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-20T04:16:50Z",
    "severity": "MODERATE"
  },
  "details": "The Membership Plugin \u2013 Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect url supplied via the \u0027rcp_redirect\u0027 parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.",
  "id": "GHSA-434r-hj47-rpjj",
  "modified": "2026-03-20T06:31:33Z",
  "published": "2026-03-20T06:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4136"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.24/core/includes/login-functions.php#L270"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3486071/restrict-content"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4cf42d3-9864-440b-8357-36c82cbef28f?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-43QC-6X8C-RGGM

Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2024-04-04 03:04
VLAI
Details

The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-19T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.",
  "id": "GHSA-43qc-6x8c-rggm",
  "modified": "2024-04-04T03:04:11Z",
  "published": "2022-05-24T17:39:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25323"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/afbf95a478b6e94f532ca0776c79da1b08be7eed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.