CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-863X-VCG8-VGHR
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37Select Dell Client Commercial and Consumer platforms support a BIOS password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of unauthorized password generation tools that can generate BIOS recovery passwords. The tools, which are not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed Hard Disk Drive (HDD) passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access and BIOS pre-boot authentication.
{
"affected": [],
"aliases": [
"CVE-2020-5361"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-04T22:15:00Z",
"severity": "HIGH"
},
"details": "Select Dell Client Commercial and Consumer platforms support a BIOS password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of unauthorized password generation tools that can generate BIOS recovery passwords. The tools, which are not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed Hard Disk Drive (HDD) passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access and BIOS pre-boot authentication.",
"id": "GHSA-863x-vcg8-vghr",
"modified": "2022-05-24T17:37:58Z",
"published": "2022-05-24T17:37:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5361"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000180741/dsa-2020-119-dell-client-products-unauthorized-bios-password-reset-tool-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8GQM-CRWV-8R3M
Vulnerability from github – Published: 2022-05-17 02:43 – Updated: 2022-05-17 02:43A weak password recovery vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows attacker to carry out information disclosure via the Forgotten Password feature.
{
"affected": [],
"aliases": [
"CVE-2017-7731"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-27T00:29:00Z",
"severity": "HIGH"
},
"details": "A weak password recovery vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows attacker to carry out information disclosure via the Forgotten Password feature.",
"id": "GHSA-8gqm-crwv-8r3m",
"modified": "2022-05-17T02:43:13Z",
"published": "2022-05-17T02:43:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7731"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-17-114"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8J9J-8QFF-CVRC
Vulnerability from github – Published: 2023-09-04 15:30 – Updated: 2024-04-04 07:26Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user´s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all possible values because the platform has no limit on the number of requests.
{
"affected": [],
"aliases": [
"CVE-2023-3222"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-04T13:15:33Z",
"severity": "HIGH"
},
"details": "Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user\u00b4s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all possible values because the platform has no limit on the number of requests.",
"id": "GHSA-8j9j-8qff-cvrc",
"modified": "2024-04-04T07:26:16Z",
"published": "2023-09-04T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3222"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-roundcube-password-recovery-plugin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8M5F-2XVP-2C8W
Vulnerability from github – Published: 2024-01-10 18:30 – Updated: 2024-01-12 21:25A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to silently create a recovery pass code for any user.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50172"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-12T21:25:52Z",
"nvd_published_at": "2024-01-10T16:15:49Z",
"severity": "MODERATE"
},
"details": "A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to silently create a recovery pass code for any user.",
"id": "GHSA-8m5f-2xvp-2c8w",
"modified": "2024-01-12T21:25:52Z",
"published": "2024-01-10T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50172"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/15fed957fb64b4055158acfc449bd7974346edb5"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1897"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "WWBN AVideo recovery notification bypass vulnerability"
}
GHSA-8W64-6CPX-85PH
Vulnerability from github – Published: 2026-05-27 03:30 – Updated: 2026-05-27 03:30A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-9609"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T02:16:35Z",
"severity": "LOW"
},
"details": "A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-8w64-6cpx-85ph",
"modified": "2026-05-27T03:30:31Z",
"published": "2026-05-27T03:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9609"
},
{
"type": "WEB",
"url": "https://github.com/QianFox/FoxCMS/issues/3"
},
{
"type": "WEB",
"url": "https://github.com/QianFox/FoxCMS"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/818343"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/365682"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/365682/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8WGF-F4HV-W5QC
Vulnerability from github – Published: 2026-02-11 21:30 – Updated: 2026-02-11 21:30AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.
{
"affected": [],
"aliases": [
"CVE-2020-37172"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T21:16:09Z",
"severity": "HIGH"
},
"details": "AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user\u0027s recovery token to change account credentials without authentication.",
"id": "GHSA-8wgf-f4hv-w5qc",
"modified": "2026-02-11T21:30:40Z",
"published": "2026-02-11T21:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37172"
},
{
"type": "WEB",
"url": "https://avideo.com"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/48003"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/avideo-platform-cross-site-request-forgery-password-reset"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9473-JHHC-4CQ3
Vulnerability from github – Published: 2025-09-12 18:31 – Updated: 2025-09-12 18:31A vulnerability has been found in Wavlink WL-WN578W2 221110. The affected element is an unknown function of the file /sysinit.html. The manipulation of the argument newpass/confpass leads to weak password recovery. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-10322"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-12T18:15:33Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in Wavlink WL-WN578W2 221110. The affected element is an unknown function of the file /sysinit.html. The manipulation of the argument newpass/confpass leads to weak password recovery. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-9473-jhhc-4cq3",
"modified": "2025-09-12T18:31:10Z",
"published": "2025-09-12T18:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10322"
},
{
"type": "WEB",
"url": "https://github.com/ZZ2266/.github.io/tree/main/WAVLINK/WL-WN578W2/sysinit.html"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.323748"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.323748"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.643433"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-95FV-5GFJ-2R84
Vulnerability from github – Published: 2025-12-08 16:25 – Updated: 2025-12-29 19:43Withdrawn Advisory
This advisory has been withdrawn because it incorrectly listed MediaBrowser.Server.Core as vulnerable. CVE-2025-64113 affects Emby Server versions 4.9.1.80 and prior, and Emby Server Beta versions 4.9.2.6 and prior.
Original Description
Impact
This vulnerability affects all Emby Server versions - beta and stable up to the specified versions. It allows an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level,). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable.
Patches
Quick Fix
A quick fix will be rolled out via an update to one of the default-included Emby Server plugins. This way is chosen because many users are updating their servers manually while plugin updates are typically configured to be applied automatically. This allows to get a patch deployed to a large amount of servers within a single day.
Server Patches
Patched versions for both, Emby Server stable and Emby Server beta are available now.
All Emby Server owners are strongly encouraged to apply those updates as soon as possible.
Workarounds
[!NOTE] These workarounds are OBSOLETE now. Please update Emby Server instead!
As and immediate remedy, it is possible to set restricted file system permissions on the passwordreset.txt file in the configuration folder of Emby Server. If it doesn't exist, users can create the file themselves or just call the ForgotPassword API once, which will create the file.
On Windows, users can set DENY permissions for "Authenticated users" and on Linux, permissions can be set via sudo chmod 444 passwordreset.txt.
This will make the API request fail, which completely eliminates the vulnerability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.9.1.80"
},
"package": {
"ecosystem": "NuGet",
"name": "MediaBrowser.Server.Core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.9.1.81"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64113"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-08T16:25:53Z",
"nvd_published_at": "2025-12-09T20:15:54Z",
"severity": "CRITICAL"
},
"details": "### Withdrawn Advisory\nThis advisory has been withdrawn because it incorrectly listed [MediaBrowser.Server.Core](https://www.nuget.org/packages/MediaBrowser.Server.Core) as vulnerable. CVE-2025-64113 affects Emby Server versions 4.9.1.80 and prior, and Emby Server Beta versions 4.9.2.6 and prior.\n\n### Original Description\n### Impact\n\nThis vulnerability affects all Emby Server versions - beta and stable up to the specified versions.\nIt allows an attacker to gain full administrative access to an Emby Server (for Emby Server administration, **not at the OS level**,).\nOther than network access, no specific preconditions need to be fulfilled for a server to be vulnerable.\n\n### Patches\n\n#### Quick Fix\n\nA quick fix will be rolled out via an update to one of the default-included Emby Server plugins.\nThis way is chosen because many users are updating their servers manually while plugin updates are typically configured to be applied automatically. This allows to get a patch deployed to a large amount of servers within a single day.\n\n#### Server Patches\n\nPatched versions for both, Emby Server stable and Emby Server beta are available now.\n\n**All Emby Server owners are strongly encouraged to apply those updates as soon as possible.**\n\n\n### Workarounds\n\n\u003e [!NOTE]\n\u003e These workarounds are OBSOLETE now. Please update Emby Server instead!\n\nAs and immediate remedy, it is possible to set restricted file system permissions on the `passwordreset.txt` file in the configuration folder of Emby Server. If it doesn\u0027t exist, users can create the file themselves or just call the ForgotPassword API once, which will create the file.\n\nOn Windows, users can set DENY permissions for \"Authenticated users\" and on Linux, permissions can be set via `sudo chmod 444 passwordreset.txt`.\nThis will make the API request fail, which completely eliminates the vulnerability.",
"id": "GHSA-95fv-5gfj-2r84",
"modified": "2025-12-29T19:43:24Z",
"published": "2025-12-08T16:25:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/EmbySupport/Emby.Security/security/advisories/GHSA-95fv-5gfj-2r84"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64113"
},
{
"type": "PACKAGE",
"url": "https://github.com/EmbySupport/Emby.Security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Withdrawn Advisory: Emby Server API Vulnerability allowing to gain administrative access without precondition",
"withdrawn": "2025-12-29T19:43:24Z"
}
GHSA-95VM-PH4X-XHV5
Vulnerability from github – Published: 2024-09-11 21:30 – Updated: 2024-09-11 21:30A vulnerability classified as critical was found in TDuckCloud TDuckPro up to 6.3. Affected by this vulnerability is an unknown functionality. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-8692"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-11T19:15:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as critical was found in TDuckCloud TDuckPro up to 6.3. Affected by this vulnerability is an unknown functionality. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-95vm-ph4x-xhv5",
"modified": "2024-09-11T21:30:37Z",
"published": "2024-09-11T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8692"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.277165"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.277165"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.401715"
},
{
"type": "WEB",
"url": "https://www.shawroot.cc/2794.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-988H-MP33-6M53
Vulnerability from github – Published: 2024-06-19 03:34 – Updated: 2024-06-19 03:34The Login with phone number plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.7.34. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing a 6-digit numeric reset code.
{
"affected": [],
"aliases": [
"CVE-2024-6125"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-19T02:15:09Z",
"severity": "HIGH"
},
"details": "The Login with phone number plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.7.34. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing a 6-digit numeric reset code.",
"id": "GHSA-988h-mp33-6m53",
"modified": "2024-06-19T03:34:44Z",
"published": "2024-06-19T03:34:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6125"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3104085/login-with-phone-number#file5"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/301a67a5-226c-413a-9198-66747d1b1fd3?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.