Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-2QXR-Q4FF-F53J

Vulnerability from github – Published: 2024-11-28 18:38 – Updated: 2024-11-28 18:38
VLAI
Details

The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-28T10:15:06Z",
    "severity": "CRITICAL"
  },
  "details": "The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
  "id": "GHSA-2qxr-q4ff-f53j",
  "modified": "2024-11-28T18:38:36Z",
  "published": "2024-11-28T18:38:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11103"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-lost-password.php#L31"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-password-reset.php#L88"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3196011/contest-gallery/tags/24.0.8/v10/v10-admin/users/frontend/login/ajax/users-login-check-ajax-lost-password.php?old=3190068\u0026old_path=contest-gallery%2Ftags%2F24.0.7%2Fv10%2Fv10-admin%2Fusers%2Ffrontend%2Flogin%2Fajax%2Fusers-login-check-ajax-lost-password.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0df7f413-2631-46d9-8c0b-d66f05a02c01?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2R4Q-H9QR-QQJP

Vulnerability from github – Published: 2023-08-21 03:30 – Updated: 2023-08-21 03:30
VLAI
Details

A vulnerability was found in OpenRapid RapidCMS 1.3.1 and classified as critical. This issue affects some unknown processing of the file admin/run-movepass.php. The manipulation of the argument password/password2 leads to weak password recovery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 4dff387283060961c362d50105ff8da8ea40bcbe. It is recommended to apply a patch to fix this issue. The identifier VDB-237569 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-21T02:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in OpenRapid RapidCMS 1.3.1 and classified as critical. This issue affects some unknown processing of the file admin/run-movepass.php. The manipulation of the argument password/password2 leads to weak password recovery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 4dff387283060961c362d50105ff8da8ea40bcbe. It is recommended to apply a patch to fix this issue. The identifier VDB-237569 was assigned to this vulnerability.",
  "id": "GHSA-2r4q-h9qr-qqjp",
  "modified": "2023-08-21T03:30:16Z",
  "published": "2023-08-21T03:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenRapid/rapidcms/issues/5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenRapid/rapidcms/commit/4dff387283060961c362d50105ff8da8ea40bcbe#diff-fc57d4c69cf5912c6edb5233c6df069a91106ebd481c115faf1ea124478b26d0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.237569"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.237569"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2RRX-P33R-295R

Vulnerability from github – Published: 2025-03-13 12:30 – Updated: 2025-03-13 12:30
VLAI
Details

This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An authenticated remote attacker with a valid login ID could exploit this vulnerability through vulnerable API endpoint which could lead to account takeover of targeted users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-13T12:15:13Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An authenticated remote attacker with a valid login ID could exploit this vulnerability through vulnerable API endpoint which could lead to account takeover of targeted users.",
  "id": "GHSA-2rrx-p33r-295r",
  "modified": "2025-03-13T12:30:32Z",
  "published": "2025-03-13T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29995"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0048"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2W46-VQ8H-98VH

Vulnerability from github – Published: 2025-11-14 20:42 – Updated: 2025-11-14 20:42
VLAI
Summary
Shopware 6's password recovery link does not expire after email change
Details

Summary

When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email) remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email address.

PoC

  1. Log in to a Shopware account.
  2. Request a password reset for your current email address.
  3. Copy the password reset link but do not open it.
  4. Log back into your account.n
  5. Navigate to Account Settings → Email and change your email address.
  6. Use the previously copied reset link (from before the email change).
  7. The system allows password change using the old link.

Impact

Reproduced on Stable 6.6.10.7 and trunk.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.6.10.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.7.0.0"
            },
            {
              "fixed": "6.7.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-14T20:42:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email) remains valid. An attacker with access to the old email inbox is potentially able to reset the customer\u2019s password even after the user changes their email address.\n\n### PoC\n\n1. Log in to a Shopware account.\n2. Request a password reset for your current email address.\n3. Copy the password reset link but do not open it.\n4. Log back into your account.n\n5. Navigate to Account Settings \u2192 Email and change your email address.\n6. Use the previously copied reset link (from before the email change).\n7. The system allows password change using the old link.\n\n### Impact\nReproduced on Stable 6.6.10.7 and trunk.",
  "id": "GHSA-2w46-vq8h-98vh",
  "modified": "2025-11-14T20:42:24Z",
  "published": "2025-11-14T20:42:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/shopware"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/releases/tag/v6.7.4.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Shopware 6\u0027s password recovery link does not expire after email change"
}

GHSA-2WMJ-46RJ-QM2W

Vulnerability from github – Published: 2023-11-29 21:32 – Updated: 2023-11-30 15:03
VLAI
Summary
ZITADEL Account Takeover via Malicious Host Header Injection
Details

Impact

ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account.

Accounts with MFA or Passwordless enabled can not be taken over by this attack.

Patches

The patched ZITADEL versions verify, that the auth requests instance is retrieved by the requests original domain (from the Forwarded or X-Forwarded-Host headers if available). If the instance can't be found using the original host or the auth request can't be found within that instance, ZITADEL throws an error.

2.x versions are fixed on >= 2.41.6 2.40.x versions are fixed on >= 2.40.10 2.39.x versions are fixed on >= 2.39.9

The vulnerablility was introduced with 2.39.0.

Workarounds

A ZITADEL fronting proxy can be configured to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments.

References

None

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.39.0"
            },
            {
              "fixed": "2.39.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.40.0"
            },
            {
              "fixed": "2.40.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.41.0"
            },
            {
              "fixed": "2.41.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-29T21:32:51Z",
    "nvd_published_at": "2023-11-30T05:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account.\n\nAccounts with MFA or Passwordless enabled can not be taken over by this attack.\n\n### Patches\n\nThe patched ZITADEL versions verify, that the auth requests instance is retrieved by the requests original domain (from the Forwarded or X-Forwarded-Host headers if available). If the instance can\u0027t be found using the original host or the auth request can\u0027t be found within that instance, ZITADEL throws an error.\n\n2.x versions are fixed on \u003e= [2.41.6](https://github.com/zitadel/zitadel/releases/tag/v2.41.6)\n2.40.x versions are fixed on \u003e= [2.40.10](https://github.com/zitadel/zitadel/releases/tag/v2.40.10)\n2.39.x versions are fixed on \u003e= [2.39.9](https://github.com/zitadel/zitadel/releases/tag/v2.39.9)\n\nThe vulnerablility was introduced with 2.39.0.\n\n### Workarounds\n\nA ZITADEL fronting proxy can be configured to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments.\n\n### References\n\nNone\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n",
  "id": "GHSA-2wmj-46rj-qm2w",
  "modified": "2023-11-30T15:03:20Z",
  "published": "2023-11-29T21:32:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49097"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ZITADEL Account Takeover via Malicious Host Header Injection"
}

GHSA-327M-FMGH-C794

Vulnerability from github – Published: 2025-08-13 18:31 – Updated: 2025-08-14 15:30
VLAI
Details

An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50594"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-13T17:15:27Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account password.",
  "id": "GHSA-327m-fmgh-c794",
  "modified": "2025-08-14T15:30:35Z",
  "published": "2025-08-13T18:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50594"
    },
    {
      "type": "WEB",
      "url": "https://www.aecyberpro.com/blog/general/2025-04-30-Account-Takeover-BOLA-Hospital-Management-System-EMR"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-338P-FCWM-8FGC

Vulnerability from github – Published: 2026-05-05 15:31 – Updated: 2026-05-06 18:30
VLAI
Details

An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-34408"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-05T14:16:08Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.",
  "id": "GHSA-338p-fcwm-8fgc",
  "modified": "2026-05-06T18:30:30Z",
  "published": "2026-05-05T15:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34408"
    },
    {
      "type": "WEB",
      "url": "https://herolab.usd.de/security-advisories/usd-2024-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.gambio.de/forum/threads/wichtiges-security-update-2024-02-v1-0-fuer-gx4-v4-0-0-0-bis-v4-9-2-0.50896"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-34CX-HVM4-VX7J

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2026-02-10 14:17
VLAI
Summary
Mattermost Server password reset email requests can be sent to attacker-provided email addresses
Details

An issue was discovered in Mattermost Server before 4.0.0, 3.10.1, and 3.9.1. A password reset request was sometimes sent to an attacker-provided e-mail address.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.1-rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "3.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-18908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T22:48:56Z",
    "nvd_published_at": "2020-06-19T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.1, and 3.9.1. A password reset request was sometimes sent to an attacker-provided e-mail address.",
  "id": "GHSA-34cx-hvm4-vx7j",
  "modified": "2026-02-10T14:17:04Z",
  "published": "2022-05-24T17:21:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18908"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/59139390ae927af2e879dbacfe4dadb1adac97c0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/d3bc11be3acd3a73e6358d958b91427e2584ea71"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/e5065cf7575ee05c040945a4b00b7fd90bf39b83"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost Server password reset email requests can be sent to attacker-provided email addresses"
}

GHSA-35FG-HJCR-J65F

Vulnerability from github – Published: 2022-02-09 21:51 – Updated: 2022-02-09 21:51
VLAI
Summary
Information exposure in xwiki-platform
Details

Impact

It's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users.

Patches

The problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1.

Workarounds

There's no easy workaround other than applying the upgrade.

References

https://jira.xwiki.org/browse/XWIKI-18787

For more information

If you have any questions or comments about this advisory: * Open an issue in JIRA * Email us at XWiki Security Mailing list

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 13.5"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.5RC1"
            },
            {
              "fixed": "13.6RC1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.10.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23619"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-09T21:51:19Z",
    "nvd_published_at": "2022-02-09T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIt\u0027s possible to guess if a user has an account on the wiki by using the \"Forgot your password\" form, even if the wiki is closed to guest users.\n\n### Patches\nThe problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1.\n\n### Workarounds\nThere\u0027s no easy workaround other than applying the upgrade.\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-18787\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [JIRA](https://jira.xwiki.org)\n* Email us at [XWiki Security Mailing list](mailto:security@xwiki.org)\n",
  "id": "GHSA-35fg-hjcr-j65f",
  "modified": "2022-02-09T21:51:19Z",
  "published": "2022-02-09T21:51:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23619"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-18787"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Information exposure in xwiki-platform"
}

GHSA-365P-96QV-XR7G

Vulnerability from github – Published: 2018-10-16 19:56 – Updated: 2022-04-26 19:06
VLAI
Summary
ASP.NET Core allow an elevation of privilege
Details

ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability".

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.1"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.AspNetCore.HttpOverrides"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.1"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.AspNetCore.Server.Kestrel.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-0787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:54:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka \"ASP.NET Core Elevation Of Privilege Vulnerability\".",
  "id": "GHSA-365p-96qv-xr7g",
  "modified": "2022-04-26T19:06:29Z",
  "published": "2018-10-16T19:56:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0787"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aspnet/Announcements/issues/295"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-365p-96qv-xr7g"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0787"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103282"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040525"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ASP.NET Core allow an elevation of privilege"
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.