CWE-640
Weak Password Recovery Mechanism for Forgotten Password
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
CVE-2025-52560 (GCVE-0-2025-52560)
Vulnerability from cvelistv5 – Published: 2025-06-24 02:56 – Updated: 2025-06-24 15:02
VLAI
Title
Kanboard Password Reset Poisoning via Host Header Injection
Summary
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (default behavior). This allows an attacker to craft a malicious password reset link that leaks the token to an attacker-controlled domain. If a victim (including an administrator) clicks the poisoned link, their account can be taken over. This affects all users who initiate a password reset while application_url is not set. This issue has been patched in version 1.2.46.
Severity
8.1 (High)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/kanboard/kanboard/security/adv… | x_refsource_CONFIRM |
| https://github.com/kanboard/kanboard/commit/bca2b… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52560",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-24T15:02:34.318703Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T15:02:43.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kanboard",
"vendor": "kanboard",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.46"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (default behavior). This allows an attacker to craft a malicious password reset link that leaks the token to an attacker-controlled domain. If a victim (including an administrator) clicks the poisoned link, their account can be taken over. This affects all users who initiate a password reset while application_url is not set. This issue has been patched in version 1.2.46."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T02:56:26.589Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-2ch5-gqjm-8p92",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-2ch5-gqjm-8p92"
},
{
"name": "https://github.com/kanboard/kanboard/commit/bca2bd7ab95e7990e358fd35a7daf51a9c16aa75",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kanboard/kanboard/commit/bca2bd7ab95e7990e358fd35a7daf51a9c16aa75"
}
],
"source": {
"advisory": "GHSA-2ch5-gqjm-8p92",
"discovery": "UNKNOWN"
},
"title": "Kanboard Password Reset Poisoning via Host Header Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52560",
"datePublished": "2025-06-24T02:56:26.589Z",
"dateReserved": "2025-06-18T03:55:52.035Z",
"dateUpdated": "2025-06-24T15:02:43.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53373 (GCVE-0-2025-53373)
Vulnerability from cvelistv5 – Published: 2025-07-07 15:38 – Updated: 2025-07-07 15:47
VLAI
Title
Natours has a 1 Click Account take over on reset password via Host Header injection
Summary
Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b.
Severity
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ahmed-elgaml11/Natours/securit… | x_refsource_CONFIRM |
| https://github.com/ahmed-elgaml11/Natours/commit/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ahmed-elgaml11 | Natours |
Affected:
< 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53373",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T15:46:57.776939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T15:47:18.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Natours",
"vendor": "ahmed-elgaml11",
"versions": [
{
"status": "affected",
"version": "\u003c 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T15:38:42.320Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ahmed-elgaml11/Natours/security/advisories/GHSA-8gmw-7p75-58qv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ahmed-elgaml11/Natours/security/advisories/GHSA-8gmw-7p75-58qv"
},
{
"name": "https://github.com/ahmed-elgaml11/Natours/commit/7401793a8d9ed0f0c250c4e0ee2815d685d7a70b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ahmed-elgaml11/Natours/commit/7401793a8d9ed0f0c250c4e0ee2815d685d7a70b"
}
],
"source": {
"advisory": "GHSA-8gmw-7p75-58qv",
"discovery": "UNKNOWN"
},
"title": "Natours has a 1 Click Account take over on reset password via Host Header injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53373",
"datePublished": "2025-07-07T15:38:42.320Z",
"dateReserved": "2025-06-27T12:57:16.122Z",
"dateUpdated": "2025-07-07T15:47:18.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53704 (GCVE-0-2025-53704)
Vulnerability from cvelistv5 – Published: 2025-12-04 21:44 – Updated: 2025-12-05 19:21
VLAI
Title
MAXHUB Pivot Weak Password Recovery Mechanism for Forgotten Password
Summary
The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account.
Severity
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MAXHUB | Pivot client application |
Affected:
0 , < 1.36.2
(custom)
Unaffected: 1.36.2 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T19:21:05.023674Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T19:21:16.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pivot client application",
"vendor": "MAXHUB",
"versions": [
{
"lessThan": "1.36.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.36.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Malik MAKKES of Abicom Groupe OCI reported this vulnerability to MAXHUB."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account.\u003c/span\u003e"
}
],
"value": "The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T21:44:06.466Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.maxhub.com/en/support/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-02"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-02.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMAXHUB recommends users to upgrade the Pivot client application to v1.36.2 or newer. For more information, see the \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.maxhub.com/en/support/\"\u003eMAXHUB support page.\u003c/a\u003e\n\n\u003cbr\u003e"
}
],
"value": "MAXHUB recommends users to upgrade the Pivot client application to v1.36.2 or newer. For more information, see the MAXHUB support page. https://www.maxhub.com/en/support/"
}
],
"source": {
"advisory": "ICSA-25-338-02",
"discovery": "UNKNOWN"
},
"title": "MAXHUB Pivot Weak Password Recovery Mechanism for Forgotten Password",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53704",
"datePublished": "2025-12-04T21:44:06.466Z",
"dateReserved": "2025-07-30T19:03:10.106Z",
"dateUpdated": "2025-12-05T19:21:16.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6097 (GCVE-0-2025-6097)
Vulnerability from cvelistv5 – Published: 2025-06-16 00:00 – Updated: 2025-06-16 16:22
VLAI
Title
UTT 进取 750W Administrator Password setSysAdm formDefineManagement unverified password change
Summary
A vulnerability was found in UTT 进取 750W up to 5.0 and classified as critical. Affected by this issue is the function formDefineManagement of the file /goform/setSysAdm of the component Administrator Password Handler. The manipulation of the argument passwd1 leads to unverified password change. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.312566 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.312566 | signaturepermissions-required |
| https://vuldb.com/?submit.589425 | third-party-advisory |
| https://github.com/pfwqdxwdd/cve/blob/main/6.md | related |
| https://github.com/pfwqdxwdd/cve/blob/main/6.md#poc | exploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6097",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T16:22:40.258870Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T16:22:55.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Administrator Password Handler"
],
"product": "\u8fdb\u53d6 750W",
"vendor": "UTT",
"versions": [
{
"status": "affected",
"version": "5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "pfwqdxwdd (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in UTT \u8fdb\u53d6 750W up to 5.0 and classified as critical. Affected by this issue is the function formDefineManagement of the file /goform/setSysAdm of the component Administrator Password Handler. The manipulation of the argument passwd1 leads to unverified password change. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in UTT \u8fdb\u53d6 750W bis 5.0 gefunden. Sie wurde als kritisch eingestuft. Es geht hierbei um die Funktion formDefineManagement der Datei /goform/setSysAdm der Komponente Administrator Password Handler. Dank Manipulation des Arguments passwd1 mit unbekannten Daten kann eine unverified password change-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "Weak Password Recovery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T00:00:12.840Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-312566 | UTT \u8fdb\u53d6 750W Administrator Password setSysAdm formDefineManagement unverified password change",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.312566"
},
{
"name": "VDB-312566 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.312566"
},
{
"name": "Submit #589425 | UTT \u8fdb\u53d6750w \u003c=V5.0 Unverified Password Change",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.589425"
},
{
"tags": [
"related"
],
"url": "https://github.com/pfwqdxwdd/cve/blob/main/6.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/pfwqdxwdd/cve/blob/main/6.md#poc"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-15T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-15T09:01:30.000Z",
"value": "VulDB entry last update"
}
],
"title": "UTT \u8fdb\u53d6 750W Administrator Password setSysAdm formDefineManagement unverified password change"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-6097",
"datePublished": "2025-06-16T00:00:12.840Z",
"dateReserved": "2025-06-15T06:56:23.268Z",
"dateUpdated": "2025-06-16T16:22:55.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61977 (GCVE-0-2025-61977)
Vulnerability from cvelistv5 – Published: 2025-10-23 21:51 – Updated: 2025-10-24 14:34
VLAI
Title
AutomationDirect Productivity Suite Weak Password Recovery Mechanism for Forgotten Password
Summary
A weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery question.
Severity
CWE
Assigner
References
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| AutomationDirect | Productivity Suite |
Affected:
0 , ≤ SW V4.2.1.9
(custom)
|
|
| AutomationDirect | Productivity 3000 P3-622 CPU |
Affected:
0 , ≤ SW V4.2.1.9
(custom)
|
|
| AutomationDirect | Productivity 3000 P3-550E CPU |
Affected:
0 , ≤ SW V4.2.1.9
(custom)
|
|
| AutomationDirect | Productivity 3000 P3-530 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 2000 P2-622 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 2000 P2-550 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 1000 P1-550 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 1000 P1-540 CPU |
Affected:
0 , < SW v4.4.1.19
(custom)
|
Date Public
2025-10-23 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61977",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T14:33:53.667914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T14:34:02.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Productivity Suite",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW V4.2.1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 3000 P3-622 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW V4.2.1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 3000 P3-550E CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW V4.2.1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 3000 P3-530 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 2000 P2-622 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 2000 P2-550 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 1000 P1-550 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 1000 P1-540 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThan": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_suite:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.2.1.9",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-622_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.2.1.9",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-550e_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.2.1.9",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-530_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_2000_p2-622_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_2000_p2-550_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_1000_p1-550_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_1000_p1-540_cpu:*:*:*:*:*:*:*:*",
"versionEndExcluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luca Borzacchiello of Nozomi Networks reported these vulnerabilities to AutomationDirect."
}
],
"datePublic": "2025-10-23T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery question.\u003c/span\u003e\n\n \u003c/span\u003e"
}
],
"value": "A weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery question."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T21:51:56.523Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json"
},
{
"url": "https://www.automationdirect.com/support/software-downloads"
},
{
"url": "https://support.automationdirect.com/docs/securityconsiderations.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAutomationDirect recommends that users do the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdate the Productivity Suite programming software to version 4.5.0.x or higher.\u003c/li\u003e\u003cli\u003eUpdate the firmware of Productivity PLCs to the latest version. \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.automationdirect.com/support/software-downloads\"\u003ehttps://www.automationdirect.com/support/software-downloads\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAlthough automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems.\u003c/li\u003e\u003cli\u003eIt is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems.\u003c/li\u003e\u003cli\u003eAutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "AutomationDirect recommends that users do the following:\n\n * Update the Productivity Suite programming software to version 4.5.0.x or higher.\n * Update the firmware of Productivity PLCs to the latest version. https://www.automationdirect.com/support/software-downloads \n * Although automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems.\n * It is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems.\n * AutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application."
}
],
"source": {
"advisory": "ICSA-25-296-01",
"discovery": "EXTERNAL"
},
"title": "AutomationDirect Productivity Suite Weak Password Recovery Mechanism for Forgotten Password",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhysically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.\u003c/li\u003e\u003cli\u003eConfigure network segmentation to isolate the PLC from other devices and systems within the organization.\u003c/li\u003e\u003cli\u003eImplement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.\u003c/li\u003e\u003cli\u003ePlease refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.automationdirect.com/docs/securityconsiderations.pdf\"\u003eAutomationDirect\u0027s security considerations\u003c/a\u003e\u0026nbsp;for additional information.\u003c/li\u003e\u003cli\u003eIf you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "AutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version:\n\n * Physically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.\n * Configure network segmentation to isolate the PLC from other devices and systems within the organization.\n * Implement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.\n * Please refer to AutomationDirect\u0027s security considerations https://support.automationdirect.com/docs/securityconsiderations.pdf \u00a0for additional information.\n * If you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance."
}
],
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-61977",
"datePublished": "2025-10-23T21:51:56.523Z",
"dateReserved": "2025-10-21T21:55:11.830Z",
"dateUpdated": "2025-10-24T14:34:02.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6216 (GCVE-0-2025-6216)
Vulnerability from cvelistv5 – Published: 2025-06-21 00:08 – Updated: 2025-06-23 16:14
VLAI
Title
Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability
Summary
Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application. Was ZDI-CAN-27104.
Severity
9.8 (Critical)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| https://alltena.com/en/resources/release-notes/re… | vendor-advisory |
Date Public
2025-06-19 15:12
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-23T16:13:58.526075Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T16:14:45.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Allegra",
"vendor": "Allegra",
"versions": [
{
"status": "affected",
"version": "8.1.3.32"
}
]
}
],
"dateAssigned": "2025-06-17T21:48:58.892Z",
"datePublic": "2025-06-19T15:12:17.504Z",
"descriptions": [
{
"lang": "en",
"value": "Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application. Was ZDI-CAN-27104."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-21T00:08:15.716Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-410",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-410/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://alltena.com/en/resources/release-notes/release-notes-for-release-8-1-4-and-release-7-5-2"
}
],
"source": {
"lang": "en",
"value": "Swagat"
},
"title": "Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-6216",
"datePublished": "2025-06-21T00:08:15.716Z",
"dateReserved": "2025-06-17T21:48:58.730Z",
"dateUpdated": "2025-06-23T16:14:45.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62406 (GCVE-0-2025-62406)
Vulnerability from cvelistv5 – Published: 2025-11-18 22:18 – Updated: 2025-11-19 16:48
VLAI
Title
Piwigo is vulnerable to one-click account takeover by modifying the password-reset link
Summary
Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from the HTTP request's Host header and is not validated at all. Therefore, an attacker can send a password-reset URL with a modified hostname to an existing user whose username or email the attacker knows or guesses. This issue has been patched in version 15.7.0.
Severity
8.1 (High)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Piwigo/Piwigo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/Piwigo/Piwigo/commit/9d2565465… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62406",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T16:13:36.150593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:48:47.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-9986-w7jf-33f6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Piwigo",
"vendor": "Piwigo",
"versions": [
{
"status": "affected",
"version": "= 15.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from the HTTP request\u0027s Host header and is not validated at all. Therefore, an attacker can send a password-reset URL with a modified hostname to an existing user whose username or email the attacker knows or guesses. This issue has been patched in version 15.7.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T22:18:45.747Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-9986-w7jf-33f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-9986-w7jf-33f6"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/9d2565465efc3570963ff431b45cad21610f6692",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9d2565465efc3570963ff431b45cad21610f6692"
}
],
"source": {
"advisory": "GHSA-9986-w7jf-33f6",
"discovery": "UNKNOWN"
},
"title": "Piwigo is vulnerable to one-click account takeover by modifying the password-reset link"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62406",
"datePublished": "2025-11-18T22:18:45.747Z",
"dateReserved": "2025-10-13T16:26:12.178Z",
"dateUpdated": "2025-11-19T16:48:47.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62709 (GCVE-0-2025-62709)
Vulnerability from cvelistv5 – Published: 2025-11-20 16:50 – Updated: 2025-11-21 16:33
VLAI
Title
ClipBucket v5 is vulnerable to password reset link manipulation
Summary
ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration base_url is not set. Because Host is a client-controlled header, an attacker can supply an arbitrary Host value. This allows an attacker to cause password-reset links (sent by forget.php) to be generated with the attacker’s domain. If a victim follows that link and enters their activation code on the attacker-controlled domain, the attacker can capture the code and use it to reset the victim’s password and take over the account. This issue has been patched in version 5.5.2#162.
Severity
6.8 (Medium)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/MacWarrior/clipbucket-v5/secur… | x_refsource_CONFIRM |
| https://github.com/MacWarrior/clipbucket-v5/commi… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MacWarrior | clipbucket-v5 |
Affected:
>= 5.5.2, < 5.5.2#162
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62709",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T16:33:00.528568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T16:33:09.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-xhhf-mpqr-2cq5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "clipbucket-v5",
"vendor": "MacWarrior",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.5.2, \u003c 5.5.2#162"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration base_url is not set. Because Host is a client-controlled header, an attacker can supply an arbitrary Host value. This allows an attacker to cause password-reset links (sent by forget.php) to be generated with the attacker\u2019s domain. If a victim follows that link and enters their activation code on the attacker-controlled domain, the attacker can capture the code and use it to reset the victim\u2019s password and take over the account. This issue has been patched in version 5.5.2#162."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T16:50:03.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-xhhf-mpqr-2cq5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-xhhf-mpqr-2cq5"
},
{
"name": "https://github.com/MacWarrior/clipbucket-v5/commit/1a93532e665217b5d329808ca78e37e59e9f8a9d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MacWarrior/clipbucket-v5/commit/1a93532e665217b5d329808ca78e37e59e9f8a9d"
}
],
"source": {
"advisory": "GHSA-xhhf-mpqr-2cq5",
"discovery": "UNKNOWN"
},
"title": "ClipBucket v5 is vulnerable to password reset link manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62709",
"datePublished": "2025-11-20T16:50:03.193Z",
"dateReserved": "2025-10-20T19:41:22.739Z",
"dateUpdated": "2025-11-21T16:33:09.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64101 (GCVE-0-2025-64101)
Vulnerability from cvelistv5 – Published: 2025-10-29 18:30 – Updated: 2025-10-29 19:35
VLAI
Title
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
Summary
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
Severity
8.1 (High)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/zitadel/zitadel/security/advis… | x_refsource_CONFIRM |
| https://github.com/zitadel/zitadel/commit/72a5c33… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-29T19:35:29.013422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T19:35:39.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-rc.1, \u003c 4.6.0"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc.1, \u003c 3.4.3"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.71.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL\u0027s password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user\u0027s password and gain unauthorized access to their account. It\u0027s important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T18:34:22.475Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mwmh-7px9-4c23",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mwmh-7px9-4c23"
},
{
"name": "https://github.com/zitadel/zitadel/commit/72a5c33e6ac302b978d564bd049f9364f5a989b1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/72a5c33e6ac302b978d564bd049f9364f5a989b1"
}
],
"source": {
"advisory": "GHSA-mwmh-7px9-4c23",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64101",
"datePublished": "2025-10-29T18:30:14.999Z",
"dateReserved": "2025-10-27T15:26:14.126Z",
"dateUpdated": "2025-10-29T19:35:39.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64113 (GCVE-0-2025-64113)
Vulnerability from cvelistv5 – Published: 2025-12-09 19:21 – Updated: 2025-12-09 20:08
VLAI
Title
Emby Server allows attackers to gain administrative server access without preconditions
Summary
Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81.
Severity
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/EmbySupport/Emby.Security/secu… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| EmbySupport | security |
Affected:
< 4.9.1.81
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T20:08:04.383435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T20:08:09.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security",
"vendor": "EmbySupport",
"versions": [
{
"status": "affected",
"version": "\u003c 4.9.1.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T19:21:12.232Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/EmbySupport/Emby.Security/security/advisories/GHSA-95fv-5gfj-2r84",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/EmbySupport/Emby.Security/security/advisories/GHSA-95fv-5gfj-2r84"
}
],
"source": {
"advisory": "GHSA-95fv-5gfj-2r84",
"discovery": "UNKNOWN"
},
"title": "Emby Server allows attackers to gain administrative server access without preconditions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64113",
"datePublished": "2025-12-09T19:21:12.232Z",
"dateReserved": "2025-10-27T15:26:14.127Z",
"dateUpdated": "2025-12-09T20:08:09.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Phase: Architecture and Design
Description:
- Do not use standard weak security questions and use several security questions.
Mitigation
Phase: Architecture and Design
Description:
- Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Phase: Architecture and Design
Description:
- Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Phase: Architecture and Design
Description:
- Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Phase: Architecture and Design
Description:
- Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.