CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-52JR-7FQR-H29H
Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2025-11-04 18:31The password recovery mechanism for the forgotten password in Riello Netman 204 allows an attacker to reset the admin password and take over control of the device.This issue affects Netman 204: through 4.05.
{
"affected": [],
"aliases": [
"CVE-2024-8878"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-25T01:15:47Z",
"severity": "CRITICAL"
},
"details": "The password recovery mechanism for the forgotten password in Riello Netman 204 allows an attacker to reset the admin password and take over control of the device.This issue affects Netman 204: through 4.05.",
"id": "GHSA-52jr-7fqr-h29h",
"modified": "2025-11-04T18:31:25Z",
"published": "2024-09-25T03:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8878"
},
{
"type": "WEB",
"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-riello-netman-204/index.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Sep/50"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5444-VC88-HFJH
Vulnerability from github – Published: 2024-03-21 15:31 – Updated: 2024-08-02 00:31Weak password recovery mechanism in CDeX application allows to retrieve password reset token.This issue affects CDeX application versions through 5.7.1.
{
"affected": [],
"aliases": [
"CVE-2024-2463"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-21T15:16:54Z",
"severity": "HIGH"
},
"details": "Weak password recovery mechanism in CDeX application allows to retrieve\u00a0password\u00a0reset token.This issue affects CDeX application versions through 5.7.1.\n\n",
"id": "GHSA-5444-vc88-hfjh",
"modified": "2024-08-02T00:31:25Z",
"published": "2024-03-21T15:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2463"
},
{
"type": "WEB",
"url": "https://cdex.cloud"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2024/03/CVE-2024-2463"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2024/03/CVE-2024-2463"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-556C-JFJ4-29VC
Vulnerability from github – Published: 2024-04-09 03:30 – Updated: 2024-04-09 03:30Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability.
{
"affected": [],
"aliases": [
"CVE-2024-27899"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T01:15:48Z",
"severity": "HIGH"
},
"details": "Self-Registration\u00a0and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability.\n\n",
"id": "GHSA-556c-jfj4-29vc",
"modified": "2024-04-09T03:30:52Z",
"published": "2024-04-09T03:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27899"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3434839"
},
{
"type": "WEB",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5656-6HGP-4V5V
Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-06-24 09:30The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravel_invoice_change_password() function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied reset_activation_code POST parameter and the target user's stored forgot_email user meta — a check that trivially evaluates to true ('' == '') for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the reset_user_id POST parameter, bypass the activation code check entirely by omitting reset_activation_code, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.
{
"affected": [],
"aliases": [
"CVE-2026-12416"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T07:16:26Z",
"severity": "CRITICAL"
},
"details": "The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user\u0027s stored `forgot_email` user meta \u2014 a check that trivially evaluates to true (`\u0027\u0027 == \u0027\u0027`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account\u0027s password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.",
"id": "GHSA-5656-6hgp-4v5v",
"modified": "2026-06-24T09:30:45Z",
"published": "2026-06-24T09:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12416"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/invoice-creator/tags/1.0.0/lib/user-manage-function.php#L296"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/invoice-creator/tags/1.0.0/lib/user-manage-function.php#L303"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/invoice-creator/tags/1.0.0/lib/user-manage-function.php#L52"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc0fbe84-e455-4e62-9c48-49340d08f81d?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-57VM-X738-VVVH
Vulnerability from github – Published: 2022-11-17 03:30 – Updated: 2022-11-20 15:30An issue was discovered in BACKCLICK Professional 5.9.63. Due to insecure design or lack of authentication, unauthenticated attackers can complete the password-reset process for any account and set a new password.
{
"affected": [],
"aliases": [
"CVE-2022-44004"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-16T23:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in BACKCLICK Professional 5.9.63. Due to insecure design or lack of authentication, unauthenticated attackers can complete the password-reset process for any account and set a new password.",
"id": "GHSA-57vm-x738-vvvh",
"modified": "2022-11-20T15:30:17Z",
"published": "2022-11-17T03:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44004"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-030.txt"
},
{
"type": "WEB",
"url": "https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-58JG-CXMW-686H
Vulnerability from github – Published: 2022-04-09 00:00 – Updated: 2022-04-16 00:01An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set.
{
"affected": [],
"aliases": [
"CVE-2021-43498"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-08T19:15:00Z",
"severity": "HIGH"
},
"details": "An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set.",
"id": "GHSA-58jg-cxmw-686h",
"modified": "2022-04-16T00:01:25Z",
"published": "2022-04-09T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43498"
},
{
"type": "WEB",
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-58PM-RQVV-HW49
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router.
{
"affected": [],
"aliases": [
"CVE-2021-36708"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-06T14:15:00Z",
"severity": "HIGH"
},
"details": "In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router.",
"id": "GHSA-58pm-rqvv-hw49",
"modified": "2022-05-24T19:10:18Z",
"published": "2022-05-24T19:10:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36708"
},
{
"type": "WEB",
"url": "https://www.ayrx.me/prolink-prc2402m-multiple-vulnerabilities/#sysinit-password-reset"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5976-FHM4-832H
Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 21:32Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-27, fixed 2025-10-31.
{
"affected": [],
"aliases": [
"CVE-2025-69614"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-10T18:18:01Z",
"severity": "CRITICAL"
},
"details": "Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-27, fixed 2025-10-31.",
"id": "GHSA-5976-fhm4-832h",
"modified": "2026-03-10T21:32:14Z",
"published": "2026-03-10T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69614"
},
{
"type": "WEB",
"url": "https://gist.github.com/ethicalrohitt/b3e6d071aac8530459e8b3a5720bb832"
},
{
"type": "WEB",
"url": "https://www.telekom.com/en/company/data-privacy-and-security/news/acknowledgements-358300#R"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-59GG-H898-V8M7
Vulnerability from github – Published: 2024-03-25 09:32 – Updated: 2025-04-01 18:30This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.
{
"affected": [],
"aliases": [
"CVE-2024-2862"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-25T07:15:50Z",
"severity": "CRITICAL"
},
"details": "This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.",
"id": "GHSA-59gg-h898-v8m7",
"modified": "2025-04-01T18:30:38Z",
"published": "2024-03-25T09:32:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2862"
},
{
"type": "WEB",
"url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-59HH-4792-XV6G
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:14An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.
{
"affected": [],
"aliases": [
"CVE-2019-13240"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-10T14:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user\u0027s password again during the next 24 hours without any information except the associated email address.",
"id": "GHSA-59hh-4792-xv6g",
"modified": "2024-04-04T01:14:07Z",
"published": "2022-05-24T16:49:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13240"
},
{
"type": "WEB",
"url": "https://github.com/glpi-project/glpi/commit/5da9f99b2d81713b1e36016b47ce656a33648bc7"
},
{
"type": "WEB",
"url": "https://github.com/glpi-project/glpi/commit/86a43ae47b3dd844947f40a2ffcf1a36e53dbba6"
},
{
"type": "WEB",
"url": "https://github.com/glpi-project/glpi/compare/1783b78...8e621f6"
},
{
"type": "WEB",
"url": "https://github.com/glpi-project/glpi/releases/tag/9.4.1"
},
{
"type": "WEB",
"url": "https://www.synacktiv.com/ressources/advisories/GLPI_9.4.0_unsafe_reset.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.