Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-R8PR-83CC-CCV7

Vulnerability from github – Published: 2022-01-21 23:34 – Updated: 2022-01-27 18:26
VLAI
Summary
Umbraco Persistent Password Reset Poison
Details

The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. A related vulnerability (CVE-2022-22690) could allow this flaw to become persistent so that all password reset URLs are affected persistently following a successful attack. See the AppCheck advisory for further information and associated caveats.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-22691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-19T22:24:13Z",
    "nvd_published_at": "2022-01-18T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. A related vulnerability (CVE-2022-22690) could allow this flaw to become persistent so that all password reset URLs are affected persistently following a successful attack. See the AppCheck advisory for further information and associated caveats.",
  "id": "GHSA-r8pr-83cc-ccv7",
  "modified": "2022-01-27T18:26:22Z",
  "published": "2022-01-21T23:34:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22691"
    },
    {
      "type": "WEB",
      "url": "https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco-CMS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco Persistent Password Reset Poison"
}

GHSA-R95H-G3M2-8RGX

Vulnerability from github – Published: 2022-05-14 03:23 – Updated: 2022-05-14 03:23
VLAI
Details

WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-6412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-12T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.",
  "id": "GHSA-r95h-g3m2-8rgx",
  "modified": "2022-05-14T03:23:18Z",
  "published": "2022-05-14T03:23:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-6412"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192474"
    },
    {
      "type": "WEB",
      "url": "https://core.trac.wordpress.org/ticket/28633"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/130380/WordPress-Failed-Randomness.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2015/Feb/42"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2015/Feb/53"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/72589"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1031749"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R9MJ-87FJ-738H

Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2026-04-01 18:34
VLAI
Details

Weak Password Recovery Mechanism for Forgotten Password vulnerability in videowhisper Paid Videochat Turnkey Site allows Password Recovery Exploitation. This issue affects Paid Videochat Turnkey Site: from n/a through 7.3.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31380"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-17T16:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "Weak Password Recovery Mechanism for Forgotten Password vulnerability in videowhisper Paid Videochat Turnkey Site allows Password Recovery Exploitation. This issue affects Paid Videochat Turnkey Site: from n/a through 7.3.11.",
  "id": "GHSA-r9mj-87fj-738h",
  "modified": "2026-04-01T18:34:47Z",
  "published": "2025-04-17T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31380"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/ppv-live-webcams/vulnerability/wordpress-paid-videochat-turnkey-site-7-3-5-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RFJG-6M84-CRJ2

Vulnerability from github – Published: 2026-02-28 01:59 – Updated: 2026-02-28 01:59
VLAI
Summary
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
Details

Summary A critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever.

This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls.

Technical Analysis The vulnerability stems from two distinct logic errors in the pkg/user/ package that confirm the tokens are never removed.

  1. Logic Error in Password Reset (No Invalidation) In pkg/user/user_password_reset.go, the ResetPassword function successfully updates the user's password but fails to delete the reset token used to authorize the request. Instead, it attempts to delete a TokenEmailConfirm token, leaving the TokenPasswordReset active.

Vulnerable Code: pkg/user/user_password_reset.go (Lines 36-94)

func ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err error) {
    // ... [Validation and User Lookup] ...

    // Hash the password
    user.Password, err = HashPassword(reset.NewPassword)
    if err != nil {
        return
    }

    // FLAW: Deletes 'TokenEmailConfirm' instead of the current 'TokenPasswordReset'
    err = removeTokens(s, user, TokenEmailConfirm)
    if err != nil {
        return
    }

    // ... [Update User Status and Return] ...
    // The reset token is never removed and remains valid in the DB.
}
  1. Logic Error in Token Cleanup (Inverted Expiry) The background cron job intended to expire old tokens contains an inverted comparison operator. It deletes tokens newer than 24 hours instead of older ones.

Vulnerable Code: pkg/user/token.go (Lines 125-151)

func RegisterTokenCleanupCron() {
    // ...
    err := cron.Schedule("0 * * * *", func() {
        // ...
        // FLAW: "created > ?" selects tokens created AFTER 24 hours ago.
        // This deletes NEW valid tokens and keeps OLD expired tokens forever.
        deleted, err := s.
            Where("created > ? AND (kind = ? OR kind = ?)", 
            time.Now().Add(time.Hour*24*-1), 
            TokenPasswordReset, TokenAccountDeletion).
            Delete(&Token{})
        // ...
    })
}

Impact Persistent Account Takeover: An attacker with a single valid token can reset the victim's password an unlimited number of times.

Bypass of Remediation: Even if the victim notices suspicious activity and changes their password, the attacker can use the same old token to reset it again immediately.

Infinite Attack Window: Because the cleanup cron is broken, the token effectively has a generic TTL of "forever," allowing exploitation months or years after the token was issued.

Remediation 1. Invalidate Token on Use Update ResetPassword to delete the specific reset token upon successful completion. // Recommended Fix err = removeTokens(s, user, TokenPasswordReset) // Correct TokenKind 2. Fix Cleanup Logic Update the SQL query in RegisterTokenCleanupCron to target tokens created before the cutoff time. // Recommended Fix Where("created < ? ...", time.Now().Add(time.Hour*24*-1), ...) // Use Less Than (<)

A fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.1.0

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.24.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-28T01:59:28Z",
    "nvd_published_at": "2026-02-27T21:16:18Z",
    "severity": "CRITICAL"
  },
  "details": "**Summary**\nA critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever.\n\nThis allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls.\n\n**Technical Analysis**\nThe vulnerability stems from two distinct logic errors in the pkg/user/ package that confirm the tokens are never removed.\n\n1. Logic Error in Password Reset (No Invalidation)\nIn pkg/user/user_password_reset.go, the ResetPassword function successfully updates the user\u0027s password but fails to delete the reset token used to authorize the request. Instead, it attempts to delete a TokenEmailConfirm token, leaving the TokenPasswordReset active.\n\nVulnerable Code: pkg/user/user_password_reset.go (Lines 36-94)\n```\nfunc ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err error) {\n    // ... [Validation and User Lookup] ...\n\n    // Hash the password\n    user.Password, err = HashPassword(reset.NewPassword)\n    if err != nil {\n        return\n    }\n\n    // FLAW: Deletes \u0027TokenEmailConfirm\u0027 instead of the current \u0027TokenPasswordReset\u0027\n    err = removeTokens(s, user, TokenEmailConfirm)\n    if err != nil {\n        return\n    }\n\n    // ... [Update User Status and Return] ...\n    // The reset token is never removed and remains valid in the DB.\n}\n```\n2. Logic Error in Token Cleanup (Inverted Expiry)\nThe background cron job intended to expire old tokens contains an inverted comparison operator. It deletes tokens newer than 24 hours instead of older ones.\n\nVulnerable Code: pkg/user/token.go (Lines 125-151)\n```\nfunc RegisterTokenCleanupCron() {\n    // ...\n    err := cron.Schedule(\"0 * * * *\", func() {\n        // ...\n        // FLAW: \"created \u003e ?\" selects tokens created AFTER 24 hours ago.\n        // This deletes NEW valid tokens and keeps OLD expired tokens forever.\n        deleted, err := s.\n            Where(\"created \u003e ? AND (kind = ? OR kind = ?)\", \n            time.Now().Add(time.Hour*24*-1), \n            TokenPasswordReset, TokenAccountDeletion).\n            Delete(\u0026Token{})\n        // ...\n    })\n}\n\n```\n\n**Impact**\nPersistent Account Takeover: An attacker with a single valid token can reset the victim\u0027s password an unlimited number of times.\n\nBypass of Remediation: Even if the victim notices suspicious activity and changes their password, the attacker can use the same old token to reset it again immediately.\n\nInfinite Attack Window: Because the cleanup cron is broken, the token effectively has a generic TTL of \"forever,\" allowing exploitation months or years after the token was issued.\n\n**Remediation**\n1. Invalidate Token on Use\nUpdate ResetPassword to delete the specific reset token upon successful completion.\n`// Recommended Fix\nerr = removeTokens(s, user, TokenPasswordReset) // Correct TokenKind`\n2. Fix Cleanup Logic\nUpdate the SQL query in RegisterTokenCleanupCron to target tokens created before the cutoff time.\n`// Recommended Fix\nWhere(\"created \u003c ? ...\", time.Now().Add(time.Hour*24*-1), ...) // Use Less Than (\u003c)`\n\nA fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.1.0",
  "id": "GHSA-rfjg-6m84-crj2",
  "modified": "2026-02-28T01:59:28Z",
  "published": "2026-02-28T01:59:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse"
}

GHSA-RG9F-H2V7-XH94

Vulnerability from github – Published: 2026-07-12 06:31 – Updated: 2026-07-12 06:31
VLAI
Details

A vulnerability was found in H3C NX15 V100R017. Affected by this vulnerability is the function change_passwd of the file /api/login/modify of the component Administrator Password Modification Endpoint. The manipulation of the argument newPass results in weak password recovery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-12T06:16:41Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in H3C NX15 V100R017. Affected by this vulnerability is the function change_passwd of the file /api/login/modify of the component Administrator Password Modification Endpoint. The manipulation of the argument newPass results in weak password recovery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure.",
  "id": "GHSA-rg9f-h2v7-xh94",
  "modified": "2026-07-12T06:31:11Z",
  "published": "2026-07-12T06:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15479"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coconut652-7/IOT_Vul_Public/tree/main/H3C/NX15R017/pre_auth_pwd_change"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-15479"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/837069"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/377785"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/377785/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RG9R-F32F-755R

Vulnerability from github – Published: 2023-02-02 00:30 – Updated: 2023-02-08 21:30
VLAI
Details

An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-01T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover.",
  "id": "GHSA-rg9r-f32f-755r",
  "modified": "2023-02-08T21:30:19Z",
  "published": "2023-02-02T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45782"
    },
    {
      "type": "WEB",
      "url": "https://www.dotcms.com/security/SI-66"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RH6H-F4GJ-HPGV

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-06T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.",
  "id": "GHSA-rh6h-f4gj-hpgv",
  "modified": "2022-05-24T19:10:19Z",
  "published": "2022-05-24T19:10:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36209"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RH7C-27W5-QH7X

Vulnerability from github – Published: 2025-03-08 00:31 – Updated: 2025-03-08 00:31
VLAI
Details

A vulnerability was found in PHPGurukul Online Library Management System 3.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /change-password.php. The manipulation of the argument email/phone number leads to weak password recovery. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2093"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-07T22:15:38Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in PHPGurukul Online Library Management System 3.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /change-password.php. The manipulation of the argument email/phone number leads to weak password recovery. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-rh7c-27w5-qh7x",
  "modified": "2025-03-08T00:31:21Z",
  "published": "2025-03-08T00:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2093"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SECWG/cve/issues/4"
    },
    {
      "type": "WEB",
      "url": "https://phpgurukul.com"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.298951"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.298951"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.515207"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RP89-32RP-QPQ2

Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2024-04-24 20:18
VLAI
Summary
Pagekit Weak Password Recovery Mechanism for Forgotten Password
Details

An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pagekit/pagekit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-5594"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T20:18:58Z",
    "nvd_published_at": "2017-01-25T18:59:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user\u0027s password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01.",
  "id": "GHSA-rp89-32rp-qpq2",
  "modified": "2024-04-24T20:18:58Z",
  "published": "2022-05-13T01:12:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5594"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pagekit/pagekit/commit/e0454f9c037c427a5ff76a57e78dbf8cc00c268b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pagekit/pagekit"
    },
    {
      "type": "WEB",
      "url": "https://securelayer7.net/download/pdf/SecureLayer7-Pentest-report-Pagekit-CMS.pdf"
    },
    {
      "type": "WEB",
      "url": "https://securelayer7.net/download/poc/password-reset-vulnerability-exploit-ruby-pagekit-cms.rb.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/41143"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95806"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pagekit Weak Password Recovery Mechanism for Forgotten Password"
}

GHSA-RQ4Q-7XVX-8F5W

Vulnerability from github – Published: 2024-10-16 03:31 – Updated: 2025-05-17 03:30
VLAI
Details

The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. This is due to the appp_reset_password() and validate_reset_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-16T02:15:07Z",
    "severity": "HIGH"
  },
  "details": "The AppPresser \u2013 Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. This is due to the appp_reset_password() and validate_reset_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.",
  "id": "GHSA-rq4q-7xvx-8f5w",
  "modified": "2025-05-17T03:30:30Z",
  "published": "2024-10-16T03:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9305"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/apppresser/tags/4.4.4/inc/AppPresser_Ajax_Extras.php#L31"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/apppresser/tags/4.4.4/inc/AppPresser_WPAPI_Mods.php#L92"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3168744%40apppresser\u0026new=3168744%40apppresser\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45647fa6-a98d-4eb4-a287-f523e434688b?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.