Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-JQC3-44QX-CQ87

Vulnerability from github – Published: 2023-09-30 00:31 – Updated: 2023-09-30 00:31
VLAI
Details

A vulnerability was found in Xinhu RockOA 1.1/2.3.2/15.X3amdi and classified as problematic. Affected by this issue is some unknown functionality of the file api.php?m=reimplat&a=index of the component Password Handler. The manipulation leads to weak password recovery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-240926 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-29T22:15:12Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Xinhu RockOA 1.1/2.3.2/15.X3amdi and classified as problematic. Affected by this issue is some unknown functionality of the file api.php?m=reimplat\u0026a=index of the component Password Handler. The manipulation leads to weak password recovery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-240926 is the identifier assigned to this vulnerability.",
  "id": "GHSA-jqc3-44qx-cq87",
  "modified": "2023-09-30T00:31:10Z",
  "published": "2023-09-30T00:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5296"
    },
    {
      "type": "WEB",
      "url": "https://github.com/magicwave18/vuldb/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.240926"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.240926"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXQ9-79VJ-RGVW

Vulnerability from github – Published: 2026-02-24 21:09 – Updated: 2026-03-19 21:10
VLAI
Summary
Statamic is vulnerable to account takeover via password reset link injection
Details

Impact

An attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf.

The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset.

Patches

This has been fixed in 6.7.1 and 5.73.10.

Note that a follow-up report showed the original 6.3.3 fix to be insufficient. The 5.73.10 fix was sufficient.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "statamic/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.73.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "statamic/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0-alpha.1"
            },
            {
              "fixed": "6.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27593"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-24T21:09:23Z",
    "nvd_published_at": "2026-02-24T22:16:32Z",
    "severity": "CRITICAL"
  },
  "details": "## Impact\n\nAn attacker may leverage a vulnerability in the password reset feature to capture a user\u0027s token and reset the password on their behalf.\n\nThe attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn\u0027t request the reset.\n\n## Patches\n\nThis has been fixed in 6.7.1 and 5.73.10.\n\nNote that a follow-up report showed the original 6.3.3 fix to be insufficient. The 5.73.10 fix was sufficient.",
  "id": "GHSA-jxq9-79vj-rgvw",
  "modified": "2026-03-19T21:10:39Z",
  "published": "2026-02-24T21:09:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27593"
    },
    {
      "type": "WEB",
      "url": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be"
    },
    {
      "type": "WEB",
      "url": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/statamic/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/statamic/cms/releases/tag/v5.73.10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/statamic/cms/releases/tag/v6.3.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Statamic is vulnerable to account takeover via password reset link injection"
}

GHSA-M492-GV72-XVXJ

Vulnerability from github – Published: 2026-07-01 19:49 – Updated: 2026-07-01 19:49
VLAI
Summary
Kimai Password Reset Link Remains Valid After Password Change
Details

Summary

The LoginLink signature used for password reset URLs covers only the user's id — it does not include the password hash. After a user clicks a reset link and successfully changes their password, the same link remains valid for up to 2 additional uses within a 1-hour window. Anyone who intercepts or caches the original link can log in as the user even after the password has been changed.

Details

config/packages/security.yaml:73-78 configures the login link:

login_link:
    check_route: link_login_check
    signature_properties: ['id']
    lifetime: 900
    max_uses: 3

The HMAC signature covers only id, not password, username, or email. The effective lifetime for password reset links is extended to 3600 seconds by PasswordResetController.php:106-119 via getPasswordResetRetryLifetime().

After the first successful use (where the user sets a new password), the __pw_reset__ session flag is cleared by WizardController.php:105. Subsequent uses of the same link bypass the forced-password-reset wizard and grant a normal authenticated session.

Symfony's LoginLinkHandler::consumeLoginLink decrements a per-link counter but allows up to 3 total uses. Re-issuing a new link does not invalidate the old one.

The same vulnerability affects UserLoginLinkCommand.php:77, which generates admin-on-demand login links with the same signature scheme.

PoC

Step 1 — Generate a password reset link:

docker exec <kimai_container> bin/console kimai:user:login-link <username>

Step 2 — Use the link to log in and change the password.

Step 3 — Open the same link in a different browser or incognito session.

The link logs the attacker in as a fully authenticated user, despite the password having been changed in Step 2.

Step 4 — The link works a third time (3 total uses within 1 hour).

Impact

A password reset link that leaks through any of the following channels remains a valid authentication credential even after the legitimate user has changed their password: corporate mail-relay scanners that pre-click links (Microsoft Defender ATP, Mimecast, Barracuda), shared inboxes, browser history sync across devices, HTTP referrer headers, or proxy/WAF logs. The user believes they have secured their account by setting a new password, but the leaked link still grants full access for up to 2 additional uses within the hour.

Solution

Login links now also use the password hash for generating the signature, which will immediately expire the link after the user changed the password.

Read https://www.kimai.org/en/security/ghsa-m492-gv72-xvxj for more information.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.57.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.58.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T19:49:24Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\n\nThe LoginLink signature used for password reset URLs covers only the user\u0027s `id` \u2014 it does not include the password hash. After a user clicks a reset link and successfully changes their password, the same link remains valid for up to 2 additional uses within a 1-hour window. Anyone who intercepts or caches the original link can log in as the user even after the password has been changed.\n\n### Details\n\n`config/packages/security.yaml:73-78` configures the login link:\n\n```yaml\nlogin_link:\n    check_route: link_login_check\n    signature_properties: [\u0027id\u0027]\n    lifetime: 900\n    max_uses: 3\n```\n\nThe HMAC signature covers only `id`, not `password`, `username`, or `email`. The effective lifetime for password reset links is extended to 3600 seconds by `PasswordResetController.php:106-119` via `getPasswordResetRetryLifetime()`.\n\nAfter the first successful use (where the user sets a new password), the `__pw_reset__` session flag is cleared by `WizardController.php:105`. Subsequent uses of the same link bypass the forced-password-reset wizard and grant a normal authenticated session.\n\nSymfony\u0027s `LoginLinkHandler::consumeLoginLink` decrements a per-link counter but allows up to 3 total uses. Re-issuing a new link does not invalidate the old one.\n\nThe same vulnerability affects `UserLoginLinkCommand.php:77`, which generates admin-on-demand login links with the same signature scheme.\n\n### PoC\n\n**Step 1 \u2014 Generate a password reset link:**\n\n```bash\ndocker exec \u003ckimai_container\u003e bin/console kimai:user:login-link \u003cusername\u003e\n```\n\n**Step 2 \u2014 Use the link to log in and change the password.**\n\n**Step 3 \u2014 Open the same link in a different browser or incognito session.**\n\nThe link logs the attacker in as a fully authenticated user, despite the password having been changed in Step 2.\n\n**Step 4 \u2014 The link works a third time (3 total uses within 1 hour).**\n\n### Impact\n\nA password reset link that leaks through any of the following channels remains a valid authentication credential even after the legitimate user has changed their password: corporate mail-relay scanners that pre-click links (Microsoft Defender ATP, Mimecast, Barracuda), shared inboxes, browser history sync across devices, HTTP referrer headers, or proxy/WAF logs. The user believes they have secured their account by setting a new password, but the leaked link still grants full access for up to 2 additional uses within the hour.\n\n# Solution\n\nLogin links now also use the `password` hash for generating the signature, which will immediately expire the link after the user changed the password.\n\nRead \u003chttps://www.kimai.org/en/security/ghsa-m492-gv72-xvxj\u003e for more information.",
  "id": "GHSA-m492-gv72-xvxj",
  "modified": "2026-07-01T19:49:25Z",
  "published": "2026-07-01T19:49:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-m492-gv72-xvxj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    },
    {
      "type": "WEB",
      "url": "https://www.kimai.org/en/security/ghsa-m492-gv72-xvxj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kimai Password Reset Link Remains Valid After Password Change"
}

GHSA-M4W7-G56P-3VC4

Vulnerability from github – Published: 2023-05-24 21:30 – Updated: 2024-04-04 04:19
VLAI
Details

A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect versions 9.6.2208.101 and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because the initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-24T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect versions 9.6.2208.101 and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because the initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands.",
  "id": "GHSA-m4w7-g56p-3vc4",
  "modified": "2024-04-04T04:19:54Z",
  "published": "2023-05-24T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31459"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/support/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-23-0006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M5GX-365M-GFGX

Vulnerability from github – Published: 2025-12-19 21:30 – Updated: 2025-12-19 21:30
VLAI
Details

LDAP Tool Box Self Service Password 1.5.2 contains a password reset vulnerability that allows attackers to manipulate HTTP Host headers during token generation. Attackers can craft malicious password reset requests that generate tokens sent to a controlled server, enabling potential account takeover by intercepting and using stolen reset tokens.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-19T21:15:52Z",
    "severity": "HIGH"
  },
  "details": "LDAP Tool Box Self Service Password 1.5.2 contains a password reset vulnerability that allows attackers to manipulate HTTP Host headers during token generation. Attackers can craft malicious password reset requests that generate tokens sent to a controlled server, enabling potential account takeover by intercepting and using stolen reset tokens.",
  "id": "GHSA-m5gx-365m-gfgx",
  "modified": "2025-12-19T21:30:20Z",
  "published": "2025-12-19T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53958"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ltb-project/self-service-password"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51275"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/ldap-tool-box-self-service-password-account-takeover-via-http-host-header"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M5WP-9JW2-R9VP

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

Immuta v2.8.2 is affected by one instance of insecure permissions that can lead to user account takeover.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-05T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Immuta v2.8.2 is affected by one instance of insecure permissions that can lead to user account takeover.",
  "id": "GHSA-m5wp-9jw2-r9vp",
  "modified": "2022-05-24T17:33:12Z",
  "published": "2022-05-24T17:33:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15949"
    },
    {
      "type": "WEB",
      "url": "https://labs.bishopfox.com/advisories"
    },
    {
      "type": "WEB",
      "url": "https://labs.bishopfox.com/advisories/immuta-version-2.8.2"
    },
    {
      "type": "WEB",
      "url": "https://www.immuta.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M857-MPG8-9P23

Vulnerability from github – Published: 2022-05-14 03:02 – Updated: 2022-05-14 03:02
VLAI
Details

Instant Update CMS contains a Password Reset Vulnerability vulnerability in /iu-application/controllers/administration/auth.php that can result in Account Tackover. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in v0.3.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-26T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Instant Update CMS contains a Password Reset Vulnerability vulnerability in /iu-application/controllers/administration/auth.php that can result in Account Tackover. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in v0.3.3.",
  "id": "GHSA-m857-mpg8-9p23",
  "modified": "2022-05-14T03:02:45Z",
  "published": "2022-05-14T03:02:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/InstantUpdate/CMS/commit/5e70496b6b0c4cd554e62a709a248c1584533da6"
    },
    {
      "type": "WEB",
      "url": "http://my.instant-update.com/t/i-wanna-to-report-an-security-issue/659/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MGG5-84CV-FC3C

Vulnerability from github – Published: 2024-01-12 15:30 – Updated: 2025-10-22 00:32
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7028"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-12T14:15:49Z",
    "severity": "CRITICAL"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.",
  "id": "GHSA-mgg5-84cv-fc3c",
  "modified": "2025-10-22T00:32:58Z",
  "published": "2024-01-12T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7028"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2293343"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/436084"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7028"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/critical-gitlab-account-takeover-vulnerability-cve-2023-7028"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MGR7-VCH3-X89H

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13
VLAI
Details

Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-06T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Malicious attacker is able to find out valid user logins by using the \"lost password\" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.",
  "id": "GHSA-mgr7-vch3-x89h",
  "modified": "2022-05-24T19:13:03Z",
  "published": "2022-05-24T19:13:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36095"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MJMW-3M65-4C84

Vulnerability from github – Published: 2025-02-11 15:32 – Updated: 2025-02-11 15:32
VLAI
Details

Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authenticated user to reuse the oracle user password after check-in due to crash in the password reset functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-11T14:15:31Z",
    "severity": "MODERATE"
  },
  "details": "Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authenticated user to reuse the oracle user password after check-in due to crash in the password reset functionality.",
  "id": "GHSA-mjmw-3m65-4c84",
  "modified": "2025-02-11T15:32:24Z",
  "published": "2025-02-11T15:32:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1231"
    },
    {
      "type": "WEB",
      "url": "https://devolutions.net/security/advisories/DEVO-2025-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.