Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-XR65-2GPF-FJ8V

Vulnerability from github – Published: 2022-05-17 00:26 – Updated: 2025-04-20 03:37
VLAI
Details

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-04T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim\u0027s e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.",
  "id": "GHSA-xr65-2gpf-fj8v",
  "modified": "2025-04-20T03:37:13Z",
  "published": "2022-05-17T00:26:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8295"
    },
    {
      "type": "WEB",
      "url": "https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/8807"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/41963"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3870"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98295"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038403"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRF9-VPRM-8M66

Vulnerability from github – Published: 2025-07-20 12:30 – Updated: 2025-07-20 12:30
VLAI
Details

A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument code leads to weak password recovery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-20T10:15:25Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument code leads to weak password recovery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-xrf9-vprm-8m66",
  "modified": "2025-07-20T12:30:26Z",
  "published": "2025-07-20T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7881"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README20.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.316996"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.316996"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.611328"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XRFH-P66C-M56H

Vulnerability from github – Published: 2022-05-17 02:40 – Updated: 2025-04-20 03:39
VLAI
Details

QNAP QTS before 4.2.6 build 20170517 has a flaw in the change password function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-15T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "QNAP QTS before 4.2.6 build 20170517 has a flaw in the change password function.",
  "id": "GHSA-xrfh-p66c-m56h",
  "modified": "2025-04-20T03:39:12Z",
  "published": "2022-05-17T02:40:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7629"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en-us/releasenotes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.