CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-3743-C947-MRHR
Vulnerability from github – Published: 2024-12-10 03:31 – Updated: 2024-12-11 18:30CrushFTP 10 before 10.8.3 and 11 before 11.2.3 mishandles password reset, leading to account takeover.
{
"affected": [],
"aliases": [
"CVE-2024-53552"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T02:15:17Z",
"severity": "CRITICAL"
},
"details": "CrushFTP 10 before 10.8.3 and 11 before 11.2.3 mishandles password reset, leading to account takeover.",
"id": "GHSA-3743-c947-mrhr",
"modified": "2024-12-11T18:30:42Z",
"published": "2024-12-10T03:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53552"
},
{
"type": "WEB",
"url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-37HX-4MCQ-WC3H
Vulnerability from github – Published: 2021-10-06 17:48 – Updated: 2021-10-06 14:09In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "strapi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-28128"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-06T14:09:30Z",
"nvd_published_at": "2021-05-06T14:15:00Z",
"severity": "HIGH"
},
"details": "In Strapi through 3.6.0, the admin panel allows the changing of one\u0027s own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.",
"id": "GHSA-37hx-4mcq-wc3h",
"modified": "2021-10-06T14:09:30Z",
"published": "2021-10-06T17:48:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28128"
},
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/issues/9657"
},
{
"type": "PACKAGE",
"url": "https://github.com/strapi/strapi"
},
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/releases/tag/v3.6.0"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-008.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Weak Password Recovery Mechanism for Forgotten Password in Strapi"
}
GHSA-3CHH-Q8FX-PC2W
Vulnerability from github – Published: 2024-06-16 18:31 – Updated: 2024-08-07 18:30Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized password resets via the resetPassword API.
{
"affected": [],
"aliases": [
"CVE-2024-38468"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-16T16:15:09Z",
"severity": "CRITICAL"
},
"details": "Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized password resets via the resetPassword API.",
"id": "GHSA-3chh-q8fx-pc2w",
"modified": "2024-08-07T18:30:40Z",
"published": "2024-06-16T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38468"
},
{
"type": "WEB",
"url": "https://github.com/Pumpkin-ito/Cve-Vuln/blob/main/Guosen%20synthetic%20imaging%20system%20vulnerability.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3H52-R54R-FVGF
Vulnerability from github – Published: 2026-02-08 00:30 – Updated: 2026-04-07 18:31macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.
{
"affected": [],
"aliases": [
"CVE-2026-25858"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-07T22:16:02Z",
"severity": "CRITICAL"
},
"details": "macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim\u2019s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.",
"id": "GHSA-3h52-r54r-fvgf",
"modified": "2026-04-07T18:31:29Z",
"published": "2026-02-08T00:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25858"
},
{
"type": "WEB",
"url": "https://github.com/macrozheng/mall/issues/946"
},
{
"type": "WEB",
"url": "https://www.macrozheng.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3H75-4G3F-6JHW
Vulnerability from github – Published: 2023-09-19 15:30 – Updated: 2024-04-04 07:44Weak password recovery mechanism vulnerability in Fujitsu Arconte Áurea version 1.5.0.0, which exploitation could allow an attacker to perform a brute force attack on the emailed PIN number in order to change the password of a legitimate user.
{
"affected": [],
"aliases": [
"CVE-2023-4096"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-19T14:15:25Z",
"severity": "HIGH"
},
"details": "Weak password recovery mechanism vulnerability in Fujitsu Arconte \u00c1urea version 1.5.0.0,\u00a0which exploitation could allow an attacker to perform a brute force attack on the emailed PIN number in order to change the password of a legitimate user.",
"id": "GHSA-3h75-4g3f-6jhw",
"modified": "2024-04-04T07:44:02Z",
"published": "2023-09-19T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4096"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fujitsu-arconte-aurea"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3PM3-FG5F-VGVX
Vulnerability from github – Published: 2026-07-11 09:34 – Updated: 2026-07-11 09:34The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers — the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.
{
"affected": [],
"aliases": [
"CVE-2026-15155"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-11T07:16:46Z",
"severity": "HIGH"
},
"details": "The Essential Addons for Elementor \u2013 Popular Elementor Templates \u0026 Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers \u2014 the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator\u0027s password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.",
"id": "GHSA-3pm3-fg5f-vgvx",
"modified": "2026-07-11T09:34:18Z",
"published": "2026-07-11T09:34:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15155"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.10/includes/Elements/Login_Register.php#L3333"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.10/includes/Traits/Login_Registration.php#L1271"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.10/includes/Traits/Login_Registration.php#L1622"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.5/includes/Elements/Login_Register.php#L3333"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.5/includes/Traits/Login_Registration.php#L1271"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.5/includes/Traits/Login_Registration.php#L1622"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3601504/essential-addons-for-elementor-lite/trunk/includes/Traits/Login_Registration.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fessential-addons-for-elementor-lite/tags/6.6.10\u0026new_path=%2Fessential-addons-for-elementor-lite/tags/6.6.11"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbe8cf6c-b1fa-4f71-bb63-c8b181e54882?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3QRQ-R688-VVH4
Vulnerability from github – Published: 2022-04-28 21:02 – Updated: 2022-04-28 21:02Impact
Multiple tokens for password reset could be requested. All tokens could be used to change the password. This makes it possible for an attacker to take over the victims account if s/he gains access to the victims email account and finds unused password reset token in the emails within the time frame of two hours.
Patches
We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9
For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html
References
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/shopware"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.4"
},
{
"fixed": "5.7.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24892"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-28T21:02:17Z",
"nvd_published_at": "2022-04-28T15:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nMultiple tokens for password reset could be requested. All tokens could be used to change the password.\nThis makes it possible for an attacker to take over the victims account if s/he gains access to the victims email account and finds unused password reset token in the emails within the time frame of two hours.\n\n### Patches\nWe recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/en/changelog-sw5/#5-7-9\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022",
"id": "GHSA-3qrq-r688-vvh4",
"modified": "2022-04-28T21:02:17Z",
"published": "2022-04-28T21:02:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24892"
},
{
"type": "WEB",
"url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/shopware"
},
{
"type": "WEB",
"url": "https://www.shopware.com/en/changelog-sw5/#5-7-9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Multiple valid tokens for password reset in Shopware"
}
GHSA-42XW-2V8P-RRF7
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:26An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the victim has started a password-reset process (pass_reset.php, password_reset.php, XDUser.php) in the past few minutes.
{
"affected": [],
"aliases": [
"CVE-2018-16988"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-02T20:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the victim has started a password-reset process (pass_reset.php, password_reset.php, XDUser.php) in the past few minutes.",
"id": "GHSA-42xw-2v8p-rrf7",
"modified": "2024-04-04T00:26:04Z",
"published": "2022-05-24T16:45:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16988"
},
{
"type": "WEB",
"url": "https://github.com/grymer/CVE/blob/master/CVE-2018-16988.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-434R-HJ47-RPJJ
Vulnerability from github – Published: 2026-03-20 06:31 – Updated: 2026-03-20 06:31The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect url supplied via the 'rcp_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
{
"affected": [],
"aliases": [
"CVE-2026-4136"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-20T04:16:50Z",
"severity": "MODERATE"
},
"details": "The Membership Plugin \u2013 Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect url supplied via the \u0027rcp_redirect\u0027 parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.",
"id": "GHSA-434r-hj47-rpjj",
"modified": "2026-03-20T06:31:33Z",
"published": "2026-03-20T06:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4136"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.24/core/includes/login-functions.php#L270"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3486071/restrict-content"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4cf42d3-9864-440b-8357-36c82cbef28f?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-43QC-6X8C-RGGM
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2024-04-04 03:04The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
{
"affected": [],
"aliases": [
"CVE-2021-25323"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-19T16:15:00Z",
"severity": "CRITICAL"
},
"details": "The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.",
"id": "GHSA-43qc-6x8c-rggm",
"modified": "2024-04-04T03:04:11Z",
"published": "2022-05-24T17:39:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25323"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/afbf95a478b6e94f532ca0776c79da1b08be7eed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.