CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-QH6W-JH2G-P57R
Vulnerability from github – Published: 2023-09-07 03:30 – Updated: 2024-04-04 07:32Soar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for Forgotten Password. The reset password link sent out through e-mail, and the link will remain valid after the password has been reset and after the expected expiration date. An attacker with access to the browser history or has the line can thus use the URL again to change the password in order to take over the account.
{
"affected": [],
"aliases": [
"CVE-2023-34357"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-07T03:15:08Z",
"severity": "HIGH"
},
"details": "\nSoar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for Forgotten Password. The reset password link sent out through e-mail, and the link will remain valid after the password has been reset and after the expected expiration date. An attacker with access to the browser history or has the line can thus use the URL again to change the password in order to take over the account.\n\n\n\n",
"id": "GHSA-qh6w-jh2g-p57r",
"modified": "2024-04-04T07:32:25Z",
"published": "2023-09-07T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34357"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7347-2653e-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QPG9-5CX8-657Q
Vulnerability from github – Published: 2023-01-30 18:30 – Updated: 2023-02-09 00:30AMI Megarac Password reset interception via API
{
"affected": [],
"aliases": [
"CVE-2022-26872"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-30T16:15:00Z",
"severity": "HIGH"
},
"details": "AMI Megarac Password reset interception via API",
"id": "GHSA-qpg9-5cx8-657q",
"modified": "2023-02-09T00:30:21Z",
"published": "2023-01-30T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26872"
},
{
"type": "WEB",
"url": "https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023001.pdf"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230731-0008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QPQG-9QCW-75QC
Vulnerability from github – Published: 2023-01-19 12:30 – Updated: 2023-01-27 18:30A vulnerability was found in gitter-badger ezpublish-modern-legacy. It has been rated as problematic. This issue affects some unknown processing of the file kernel/user/forgotpassword.php. The manipulation leads to weak password recovery. Upgrading to version 1.0 is able to address this issue. The name of the patch is 5908d5ee65fec61ce0e321d586530461a210bf2a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218951.
{
"affected": [],
"aliases": [
"CVE-2015-10071"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-19T10:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in gitter-badger ezpublish-modern-legacy. It has been rated as problematic. This issue affects some unknown processing of the file kernel/user/forgotpassword.php. The manipulation leads to weak password recovery. Upgrading to version 1.0 is able to address this issue. The name of the patch is 5908d5ee65fec61ce0e321d586530461a210bf2a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218951.",
"id": "GHSA-qpqg-9qcw-75qc",
"modified": "2023-01-27T18:30:31Z",
"published": "2023-01-19T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10071"
},
{
"type": "WEB",
"url": "https://github.com/gitter-badger/ezpublish-modern-legacy/commit/5908d5ee65fec61ce0e321d586530461a210bf2a"
},
{
"type": "WEB",
"url": "https://github.com/gitter-badger/ezpublish-modern-legacy/releases/tag/1.0"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.218951"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.218951"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QXF4-RQX4-9MQJ
Vulnerability from github – Published: 2026-02-11 21:30 – Updated: 2026-02-11 21:30AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.
{
"affected": [],
"aliases": [
"CVE-2020-37158"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T21:16:08Z",
"severity": "HIGH"
},
"details": "AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user\u0027s recovery token to change account credentials without authentication.",
"id": "GHSA-qxf4-rqx4-9mqj",
"modified": "2026-02-11T21:30:40Z",
"published": "2026-02-11T21:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37158"
},
{
"type": "WEB",
"url": "https://avideo.com"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/48003"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/avideo-platform-cross-site-request-forgery-password-reset"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R2MX-8C88-F5CF
Vulnerability from github – Published: 2022-05-17 03:39 – Updated: 2022-05-17 03:39The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not apply password-quality rules to password changes, which makes it easier for remote attackers to obtain access via a brute-force attack.
{
"affected": [],
"aliases": [
"CVE-2016-5997"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-26T04:59:00Z",
"severity": "MODERATE"
},
"details": "The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not apply password-quality rules to password changes, which makes it easier for remote attackers to obtain access via a brute-force attack.",
"id": "GHSA-r2mx-8c88-f5cf",
"modified": "2022-05-17T03:39:52Z",
"published": "2022-05-17T03:39:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5997"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21990216"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93144"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R464-RGH8-QF85
Vulnerability from github – Published: 2026-06-20 00:34 – Updated: 2026-06-20 00:34The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2026-11551"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-20T00:16:15Z",
"severity": "CRITICAL"
},
"details": "The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
"id": "GHSA-r464-rgh8-qf85",
"modified": "2026-06-20T00:34:08Z",
"published": "2026-06-20T00:34:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11551"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.29/inc/modules/login-screen/signup-password.php#L232"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3568291/branda-white-labeling/trunk/inc/modules/login-screen/signup-password.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/56f13af3-71b6-42d4-9fda-a75778f32091?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R4CX-CQJR-VFR8
Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-09 00:00An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames.
{
"affected": [],
"aliases": [
"CVE-2022-34530"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-01T20:15:00Z",
"severity": "MODERATE"
},
"details": "An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames.",
"id": "GHSA-r4cx-cqjr-vfr8",
"modified": "2022-08-09T00:00:25Z",
"published": "2022-08-02T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34530"
},
{
"type": "WEB",
"url": "https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md"
},
{
"type": "WEB",
"url": "http://backdrop.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6FW-84V2-X45X
Vulnerability from github – Published: 2023-04-20 21:33 – Updated: 2024-04-04 03:37An issue in Mobicint Backend for Credit Unions v3 allows attackers to retrieve partial email addresses and user entered information via submission to the forgotten-password endpoint.
{
"affected": [],
"aliases": [
"CVE-2021-36436"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-20T21:15:08Z",
"severity": "MODERATE"
},
"details": "An issue in Mobicint Backend for Credit Unions v3 allows attackers to retrieve partial email addresses and user entered information via submission to the forgotten-password endpoint.",
"id": "GHSA-r6fw-84v2-x45x",
"modified": "2024-04-04T03:37:20Z",
"published": "2023-04-20T21:33:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36436"
},
{
"type": "WEB",
"url": "https://github.com/Laransec/Mobicint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R86W-X85M-W6RJ
Vulnerability from github – Published: 2022-05-14 03:01 – Updated: 2022-05-14 03:01GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised.
{
"affected": [],
"aliases": [
"CVE-2017-0921"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-03T21:29:00Z",
"severity": "HIGH"
},
"details": "GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim\u0027s session is compromised.",
"id": "GHSA-r86w-x85m-w6rj",
"modified": "2022-05-14T03:01:37Z",
"published": "2022-05-14T03:01:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0921"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R8F4-QRCC-H436
Vulnerability from github – Published: 2022-05-14 01:44 – Updated: 2022-05-14 01:44An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the password delete function of the web server.
{
"affected": [],
"aliases": [
"CVE-2018-7809"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-30T19:29:00Z",
"severity": "CRITICAL"
},
"details": "An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the password delete function of the web server.",
"id": "GHSA-r8f4-qrcc-h436",
"modified": "2022-05-14T01:44:38Z",
"published": "2022-05-14T01:44:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7809"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-327-01"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2018-38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.