CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-VWC3-57VR-H373
Vulnerability from github – Published: 2023-07-20 00:30 – Updated: 2024-04-04 06:17Weintek Weincloud v0.13.6
could allow an attacker to reset a password with the corresponding account’s JWT token only.
{
"affected": [],
"aliases": [
"CVE-2023-35134"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-19T22:15:11Z",
"severity": "MODERATE"
},
"details": "\n\n\nWeintek Weincloud v0.13.6\n\n could allow an attacker to reset a password with the corresponding account\u2019s JWT token only.\n\n\n\n",
"id": "GHSA-vwc3-57vr-h373",
"modified": "2024-04-04T06:17:25Z",
"published": "2023-07-20T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35134"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W47M-6QCR-7XG2
Vulnerability from github – Published: 2022-09-13 00:00 – Updated: 2022-09-16 00:00A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP and BMEH*) (V3.20 and prior).
{
"affected": [],
"aliases": [
"CVE-2022-37300"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-12T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior).",
"id": "GHSA-w47m-6qcr-7xg2",
"modified": "2022-09-16T00:00:33Z",
"published": "2022-09-13T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37300"
},
{
"type": "WEB",
"url": "https://www.se.com/us/en/download/document/SEVD-2022-221-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W5VV-XFCC-X3JC
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts.
{
"affected": [],
"aliases": [
"CVE-2017-2614"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-27T18:29:00Z",
"severity": "MODERATE"
},
"details": "When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts.",
"id": "GHSA-w5vv-xfcc-x3jc",
"modified": "2022-05-13T01:36:54Z",
"published": "2022-05-13T01:36:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2614"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2614"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0257.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W6GX-C4X9-QJP2
Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-06-24 09:30The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the pravel_change_password() AJAX handler — registered via wp_ajax_nopriv_pravel_change_password and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied reset_activation_code POST parameter and the target user's forgot_email user meta value; when a user has never initiated a password reset, get_user_meta() returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to admin-ajax.php with action=pravel_change_password, reset_user_id set to the target account's user ID, and new_password_custom set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.
{
"affected": [],
"aliases": [
"CVE-2026-12417"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T07:16:26Z",
"severity": "CRITICAL"
},
"details": "The SignUp \u0026 SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler \u2014 registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users \u2014 performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user\u0027s `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account\u0027s user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.",
"id": "GHSA-w6gx-c4x9-qjp2",
"modified": "2026-06-24T09:30:45Z",
"published": "2026-06-24T09:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12417"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L222"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L229"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L38"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0a617fc-da3d-4828-b027-44093dd11769?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W7V3-573J-VHR9
Vulnerability from github – Published: 2022-07-07 00:00 – Updated: 2022-07-15 00:00An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not.
{
"affected": [],
"aliases": [
"CVE-2022-23172"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-06T14:15:00Z",
"severity": "MODERATE"
},
"details": "An attacker can access to \"Forgot my password\" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not.",
"id": "GHSA-w7v3-573j-vhr9",
"modified": "2022-07-15T00:00:16Z",
"published": "2022-07-07T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23172"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W9XH-5F39-VQ89
Vulnerability from github – Published: 2026-05-20 15:46 – Updated: 2026-05-28 14:20Summary
An authentication bypass vulnerability in phpMyFAQ allows any unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts. By sending a PUT request with just a valid username and associated email address to /api/user/password/update, an attacker receives a new plaintext password via email without any token verification, rate limiting, or email confirmation. This enables complete account takeover of any user, including full administrative access.
Details
File: phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php Lines: 56-130 The updatePassword() method at line 56 accepts PUT requests to /user/password/update with only username and email in the JSON body:
[Route(path: 'user/password/update', name: 'api.private.user.password', methods: ['PUT'])]
public function updatePassword(Request $request): JsonResponse
{
$data = json_decode($request->getContent());
$username = trim((string) Filter::filterVar($data->username, FILTER_SANITIZE_SPECIAL_CHARS));
$email = trim((string) Filter::filterEmail($data->email));
if ($username !== '' && $username !== '0' && ($email !== '' && $email !== '0')) {
$user = ($this->currentUserFactory ?? CurrentUser::getCurrentUser(...))($this->configuration);
$loginExist = $user->getUserByLogin($username);
if ($loginExist && $email === $user->getUserData('email')) {
// NO TOKEN CHECK
// NO RATE LIMITING
// NO EMAIL VERIFICATION
$newPassword = $user->createPassword();
$user->changePassword($newPassword);
$mail->send(); // New password sent in plaintext
}
}
}
Root Causes:
- No time-limited cryptographic token required for password reset
- No rate limiting on the endpoint (allows unlimited username/email enumeration)
- No verification email sent to original address before reset
- New password sent in plaintext email without any confirmation step
PoC
Prerequisites: None (unauthenticated attack) Step 1 - Username/Email Enumeration (no rate limiting): Test with wrong email - reveals if user exists
curl -X PUT -H "Content-Type: application/json" \
-d '{"username":"admin","email":"wrong@test.com"}' \
http://target/phpmyfaq/api/user/password/update
Response: {"error":"The email doesn't exist..."} <- user exists but wrong email
OR
Response: {"error":"The user doesn't exist"} <- user doesn't exist
Step 2 - Password Reset (no token required):
curl -X PUT -H "Content-Type: application/json" \
-d '{"username":"admin","email":"admin@target.com"}' \
http://target/phpmyfaq/api/user/password/update
Response: {"success":"Email has been sent."} The new plaintext password is sent to admin@target.com
Step 3 - Account Takeover: Attacker now has valid credentials and can log in as SuperAdmin.
Impact
Aspect Details Vulnerability Type Authentication Bypass / Weak Password Recovery Mechanism (CWE-640) Attack Vector Network (unauthenticated HTTP request) Privileges Required None User Interaction None Scope Full administrative access to phpMyFAQ Confidentiality High - attacker gains full access to all user data and FAQ content Integrity High - attacker can modify all content and settings Availability High - attacker can lock out legitimate users Who is Impacted: - All phpMyFAQ administrators using default installations - Any organization using phpMyFAQ for internal knowledge bases - End users whose accounts could be compromised - Organizations relying on phpMyFAQ for customer support FAQs Attack Complexity: Very Low - no special knowledge or conditions required beyond knowing/guessing a valid username and associated email address
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpmyfaq/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35675"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-359",
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-20T15:46:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nAn authentication bypass vulnerability in phpMyFAQ allows any unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts. By sending a PUT request with just a valid username and associated email address to /api/user/password/update, an attacker receives a new plaintext password via email without any token verification, rate limiting, or email confirmation. This enables complete account takeover of any user, including full administrative access.\n\n\n### Details\nFile: phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php\nLines: 56-130\nThe updatePassword() method at line 56 accepts PUT requests to /user/password/update with only username and email in the JSON body:\n#[Route(path: \u0027user/password/update\u0027, name: \u0027api.private.user.password\u0027, methods: [\u0027PUT\u0027])]\n```php\npublic function updatePassword(Request $request): JsonResponse\n{\n $data = json_decode($request-\u003egetContent());\n $username = trim((string) Filter::filterVar($data-\u003eusername, FILTER_SANITIZE_SPECIAL_CHARS));\n $email = trim((string) Filter::filterEmail($data-\u003eemail));\n if ($username !== \u0027\u0027 \u0026\u0026 $username !== \u00270\u0027 \u0026\u0026 ($email !== \u0027\u0027 \u0026\u0026 $email !== \u00270\u0027)) {\n $user = ($this-\u003ecurrentUserFactory ?? CurrentUser::getCurrentUser(...))($this-\u003econfiguration);\n $loginExist = $user-\u003egetUserByLogin($username);\n if ($loginExist \u0026\u0026 $email === $user-\u003egetUserData(\u0027email\u0027)) {\n // NO TOKEN CHECK\n // NO RATE LIMITING\n // NO EMAIL VERIFICATION\n $newPassword = $user-\u003ecreatePassword();\n $user-\u003echangePassword($newPassword);\n $mail-\u003esend(); // New password sent in plaintext\n }\n }\n}\n\n\n```\n\n### Root Causes:\n1. No time-limited cryptographic token required for password reset\n2. No rate limiting on the endpoint (allows unlimited username/email enumeration)\n3. No verification email sent to original address before reset\n4. New password sent in plaintext email without any confirmation step\n\n\n### PoC\nPrerequisites: None (unauthenticated attack)\nStep 1 - Username/Email Enumeration (no rate limiting):\nTest with wrong email - reveals if user exists\n```bash\ncurl -X PUT -H \"Content-Type: application/json\" \\\n -d \u0027{\"username\":\"admin\",\"email\":\"wrong@test.com\"}\u0027 \\\n http://target/phpmyfaq/api/user/password/update\n```\nResponse: {\"error\":\"The email doesn\u0027t exist...\"} \u003c- user exists but wrong email\n\nOR\n\nResponse: {\"error\":\"The user doesn\u0027t exist\"} \u003c- user doesn\u0027t exist\n\nStep 2 - Password Reset (no token required):\n```bash\ncurl -X PUT -H \"Content-Type: application/json\" \\\n -d \u0027{\"username\":\"admin\",\"email\":\"admin@target.com\"}\u0027 \\\n http://target/phpmyfaq/api/user/password/update\n```\n\nResponse: {\"success\":\"Email has been sent.\"}\nThe new plaintext password is sent to admin@target.com\n\nStep 3 - Account Takeover:\nAttacker now has valid credentials and can log in as SuperAdmin.\n\n\n\n### Impact\nAspect\tDetails\nVulnerability Type\tAuthentication Bypass / Weak Password Recovery Mechanism (CWE-640)\nAttack Vector\tNetwork (unauthenticated HTTP request)\nPrivileges Required\tNone\nUser Interaction\tNone\nScope\tFull administrative access to phpMyFAQ\nConfidentiality\tHigh - attacker gains full access to all user data and FAQ content\nIntegrity\tHigh - attacker can modify all content and settings\nAvailability\tHigh - attacker can lock out legitimate users\nWho is Impacted:\n- All phpMyFAQ administrators using default installations\n- Any organization using phpMyFAQ for internal knowledge bases\n- End users whose accounts could be compromised\n- Organizations relying on phpMyFAQ for customer support FAQs\nAttack Complexity: Very Low - no special knowledge or conditions required beyond knowing/guessing a valid username and associated email address",
"id": "GHSA-w9xh-5f39-vq89",
"modified": "2026-05-28T14:20:34Z",
"published": "2026-05-20T15:46:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w9xh-5f39-vq89"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpMyFAQ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration"
}
GHSA-WGPJ-7C2J-VFJM
Vulnerability from github – Published: 2021-04-08 16:33 – Updated: 2024-09-23 16:09Impact
An external audit of the Indico codebase has discovered a vulnerability in Indico's URL generation logic which could have allowed an attacker to make Indico send a password reset link with a valid token pointing to an attacker-controlled domain by sending that domain in the Host header. Had a user clicked such a link without realizing it does not point to Indico (and that they never requested it), it would have revealed their password reset token to the attacker, allowing them to reset the password for that user and thus take over their Indico account.
- If the web server already enforces a canonical host name, this cannot be exploited (this was not part of the default config from the Indico setup guide)
- If only SSO is used (
LOCAL_IDENTITIESset toFalse), the vulnerability cannot be exploited for password reset links, but other links in emails set by Indico could be tampered with in the same way (with less problematic impact though)
Patches
You need to update to Indico 2.3.4 as soon as possible. See the docs for instructions on how to update.
Workarounds
You can configure the web server to canonicalize the URL to the hostname used for Indico. See this commit for the changes in our setup docs; they can be easily applied to your existing web server config.
For more information
If you have any questions or comments about this advisory:
- Open a thread in our forum
- Email us privately at indico-team@cern.ch
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "indico"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-30185"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-08T16:33:24Z",
"nvd_published_at": "2021-04-07T14:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nAn external audit of the Indico codebase has discovered a vulnerability in Indico\u0027s URL generation logic which could have allowed an attacker to make Indico send a password reset link with a valid token pointing to an attacker-controlled domain by sending that domain in the `Host` header. Had a user clicked such a link without realizing it does not point to Indico (and that they never requested it), it would have revealed their password reset token to the attacker, allowing them to reset the password for that user and thus take over their Indico account.\n\n- If the web server already enforces a canonical host name, this cannot be exploited (this was not part of the default config from the Indico setup guide)\n- If only SSO is used ([`LOCAL_IDENTITIES`](https://docs.getindico.io/en/stable/config/settings/#LOCAL_IDENTITIES) set to `False`), the vulnerability cannot be exploited for password reset links, but other links in emails set by Indico could be tampered with in the same way (with less problematic impact though)\n\n### Patches\nYou need to update to [Indico 2.3.4](https://github.com/indico/indico/releases/tag/v2.3.4) as soon as possible.\nSee [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.\n\n### Workarounds\nYou can configure the web server to canonicalize the URL to the hostname used for Indico. See [this commit](https://github.com/indico/indico/pull/4815/commits/b6bff6d004abcf07db1891e26a0eb4aa0edb7c21) for the changes in our setup docs; they can be easily applied to your existing web server config.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open a thread in [our forum](https://talk.getindico.io/)\n- Email us privately at indico-team@cern.ch",
"id": "GHSA-wgpj-7c2j-vfjm",
"modified": "2024-09-23T16:09:57Z",
"published": "2021-04-08T16:33:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/indico/indico/security/advisories/GHSA-wgpj-7c2j-vfjm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30185"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-wgpj-7c2j-vfjm"
},
{
"type": "WEB",
"url": "https://github.com/indico/indico/releases/tag/v2.3.4"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/indico/PYSEC-2021-18.yaml"
},
{
"type": "WEB",
"url": "https://www.shorebreaksecurity.com/blog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Indico Tampering with links (e.g. password reset) in sent emails"
}
GHSA-WJ48-VR63-9MC8
Vulnerability from github – Published: 2022-05-17 01:57 – Updated: 2022-05-17 01:57An authenticated standard user could reset the password of the admin by altering form data. Affects kanboard before 1.0.46.
{
"affected": [],
"aliases": [
"CVE-2017-12851"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-14T20:29:00Z",
"severity": "HIGH"
},
"details": "An authenticated standard user could reset the password of the admin by altering form data. Affects kanboard before 1.0.46.",
"id": "GHSA-wj48-vr63-9mc8",
"modified": "2022-05-17T01:57:47Z",
"published": "2022-05-17T01:57:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12851"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/commit/b79b18efd7a1a8b591753a4eddd473f88d55b7df"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100352"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WP73-Q74Q-5P3Q
Vulnerability from github – Published: 2024-06-03 09:30 – Updated: 2024-06-03 09:30An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.
{
"affected": [],
"aliases": [
"CVE-2024-5404"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-03T09:15:10Z",
"severity": "CRITICAL"
},
"details": "An unauthenticated remote attacker\u00a0can change the admin password in a\u00a0moneo appliance due to weak password recovery mechanism.\n",
"id": "GHSA-wp73-q74q-5p3q",
"modified": "2024-06-03T09:30:48Z",
"published": "2024-06-03T09:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5404"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2024-028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQ5G-2475-CMRR
Vulnerability from github – Published: 2025-03-19 06:31 – Updated: 2025-03-19 06:31The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user's identity prior to updating their password through the 'boombox_ajax_reset_password' function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2024-12295"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-19T05:15:39Z",
"severity": "HIGH"
},
"details": "The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password through the \u0027boombox_ajax_reset_password\u0027 function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
"id": "GHSA-wq5g-2475-cmrr",
"modified": "2025-03-19T06:31:54Z",
"published": "2025-03-19T06:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12295"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/boombox-viral-buzz-wordpress-theme/16596434"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c453aaf6-767d-4929-bbb3-3c0b78b0507a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.