Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-QH6W-JH2G-P57R

Vulnerability from github – Published: 2023-09-07 03:30 – Updated: 2024-04-04 07:32
VLAI
Details

Soar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for Forgotten Password. The reset password link sent out through e-mail, and the link will remain valid after the password has been reset and after the expected expiration date. An attacker with access to the browser history or has the line can thus use the URL again to change the password in order to take over the account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-07T03:15:08Z",
    "severity": "HIGH"
  },
  "details": "\nSoar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for Forgotten Password. The reset password link sent out through e-mail, and the link will remain valid after the password has been reset and after the expected expiration date. An attacker with access to the browser history or has the line can thus use the URL again to change the password in order to take over the account.\n\n\n\n",
  "id": "GHSA-qh6w-jh2g-p57r",
  "modified": "2024-04-04T07:32:25Z",
  "published": "2023-09-07T03:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34357"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-7347-2653e-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QPG9-5CX8-657Q

Vulnerability from github – Published: 2023-01-30 18:30 – Updated: 2023-02-09 00:30
VLAI
Details

AMI Megarac Password reset interception via API

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-30T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "AMI Megarac Password reset interception via API",
  "id": "GHSA-qpg9-5cx8-657q",
  "modified": "2023-02-09T00:30:21Z",
  "published": "2023-01-30T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26872"
    },
    {
      "type": "WEB",
      "url": "https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023001.pdf"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230731-0008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QPQG-9QCW-75QC

Vulnerability from github – Published: 2023-01-19 12:30 – Updated: 2023-01-27 18:30
VLAI
Details

A vulnerability was found in gitter-badger ezpublish-modern-legacy. It has been rated as problematic. This issue affects some unknown processing of the file kernel/user/forgotpassword.php. The manipulation leads to weak password recovery. Upgrading to version 1.0 is able to address this issue. The name of the patch is 5908d5ee65fec61ce0e321d586530461a210bf2a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218951.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-10071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-19T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in gitter-badger ezpublish-modern-legacy. It has been rated as problematic. This issue affects some unknown processing of the file kernel/user/forgotpassword.php. The manipulation leads to weak password recovery. Upgrading to version 1.0 is able to address this issue. The name of the patch is 5908d5ee65fec61ce0e321d586530461a210bf2a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218951.",
  "id": "GHSA-qpqg-9qcw-75qc",
  "modified": "2023-01-27T18:30:31Z",
  "published": "2023-01-19T12:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10071"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gitter-badger/ezpublish-modern-legacy/commit/5908d5ee65fec61ce0e321d586530461a210bf2a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gitter-badger/ezpublish-modern-legacy/releases/tag/1.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.218951"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.218951"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QXF4-RQX4-9MQJ

Vulnerability from github – Published: 2026-02-11 21:30 – Updated: 2026-02-11 21:30
VLAI
Details

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-37158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T21:16:08Z",
    "severity": "HIGH"
  },
  "details": "AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user\u0027s recovery token to change account credentials without authentication.",
  "id": "GHSA-qxf4-rqx4-9mqj",
  "modified": "2026-02-11T21:30:40Z",
  "published": "2026-02-11T21:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37158"
    },
    {
      "type": "WEB",
      "url": "https://avideo.com"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/48003"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/avideo-platform-cross-site-request-forgery-password-reset"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R2MX-8C88-F5CF

Vulnerability from github – Published: 2022-05-17 03:39 – Updated: 2022-05-17 03:39
VLAI
Details

The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not apply password-quality rules to password changes, which makes it easier for remote attackers to obtain access via a brute-force attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-09-26T04:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not apply password-quality rules to password changes, which makes it easier for remote attackers to obtain access via a brute-force attack.",
  "id": "GHSA-r2mx-8c88-f5cf",
  "modified": "2022-05-17T03:39:52Z",
  "published": "2022-05-17T03:39:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5997"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21990216"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93144"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R464-RGH8-QF85

Vulnerability from github – Published: 2026-06-20 00:34 – Updated: 2026-06-20 00:34
VLAI
Details

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-20T00:16:15Z",
    "severity": "CRITICAL"
  },
  "details": "The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
  "id": "GHSA-r464-rgh8-qf85",
  "modified": "2026-06-20T00:34:08Z",
  "published": "2026-06-20T00:34:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11551"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.29/inc/modules/login-screen/signup-password.php#L232"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3568291/branda-white-labeling/trunk/inc/modules/login-screen/signup-password.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/56f13af3-71b6-42d4-9fda-a75778f32091?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4CX-CQJR-VFR8

Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-09 00:00
VLAI
Details

An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-01T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames.",
  "id": "GHSA-r4cx-cqjr-vfr8",
  "modified": "2022-08-09T00:00:25Z",
  "published": "2022-08-02T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34530"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md"
    },
    {
      "type": "WEB",
      "url": "http://backdrop.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6FW-84V2-X45X

Vulnerability from github – Published: 2023-04-20 21:33 – Updated: 2024-04-04 03:37
VLAI
Details

An issue in Mobicint Backend for Credit Unions v3 allows attackers to retrieve partial email addresses and user entered information via submission to the forgotten-password endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36436"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-20T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "An issue in Mobicint Backend for Credit Unions v3 allows attackers to retrieve partial email addresses and user entered information via submission to the forgotten-password endpoint.",
  "id": "GHSA-r6fw-84v2-x45x",
  "modified": "2024-04-04T03:37:20Z",
  "published": "2023-04-20T21:33:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36436"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Laransec/Mobicint"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R86W-X85M-W6RJ

Vulnerability from github – Published: 2022-05-14 03:01 – Updated: 2022-05-14 03:01
VLAI
Details

GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-0921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-03T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim\u0027s session is compromised.",
  "id": "GHSA-r86w-x85m-w6rj",
  "modified": "2022-05-14T03:01:37Z",
  "published": "2022-05-14T03:01:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0921"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8F4-QRCC-H436

Vulnerability from github – Published: 2022-05-14 01:44 – Updated: 2022-05-14 01:44
VLAI
Details

An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the password delete function of the web server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-30T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the password delete function of the web server.",
  "id": "GHSA-r8f4-qrcc-h436",
  "modified": "2022-05-14T01:44:38Z",
  "published": "2022-05-14T01:44:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7809"
    },
    {
      "type": "WEB",
      "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-327-01"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2018-38"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.