Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-52JR-7FQR-H29H

Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2025-11-04 18:31
VLAI
Details

The password recovery mechanism for the forgotten password in Riello Netman 204 allows an attacker to reset the admin password and take over control of the device.This issue affects Netman 204: through 4.05.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-25T01:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "The password recovery mechanism for the forgotten password in Riello Netman 204 allows an attacker to reset the admin password and take over control of the device.This issue affects Netman 204: through 4.05.",
  "id": "GHSA-52jr-7fqr-h29h",
  "modified": "2025-11-04T18:31:25Z",
  "published": "2024-09-25T03:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8878"
    },
    {
      "type": "WEB",
      "url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-riello-netman-204/index.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/50"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5444-VC88-HFJH

Vulnerability from github – Published: 2024-03-21 15:31 – Updated: 2024-08-02 00:31
VLAI
Details

Weak password recovery mechanism in CDeX application allows to retrieve password reset token.This issue affects CDeX application versions through 5.7.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-21T15:16:54Z",
    "severity": "HIGH"
  },
  "details": "Weak password recovery mechanism in CDeX application allows to retrieve\u00a0password\u00a0reset token.This issue affects CDeX application versions through 5.7.1.\n\n",
  "id": "GHSA-5444-vc88-hfjh",
  "modified": "2024-08-02T00:31:25Z",
  "published": "2024-03-21T15:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2463"
    },
    {
      "type": "WEB",
      "url": "https://cdex.cloud"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2024/03/CVE-2024-2463"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2024/03/CVE-2024-2463"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-556C-JFJ4-29VC

Vulnerability from github – Published: 2024-04-09 03:30 – Updated: 2024-04-09 03:30
VLAI
Details

Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T01:15:48Z",
    "severity": "HIGH"
  },
  "details": "Self-Registration\u00a0and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability.\n\n",
  "id": "GHSA-556c-jfj4-29vc",
  "modified": "2024-04-09T03:30:52Z",
  "published": "2024-04-09T03:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27899"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3434839"
    },
    {
      "type": "WEB",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5656-6HGP-4V5V

Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-06-24 09:30
VLAI
Details

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravel_invoice_change_password() function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied reset_activation_code POST parameter and the target user's stored forgot_email user meta — a check that trivially evaluates to true ('' == '') for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the reset_user_id POST parameter, bypass the activation code check entirely by omitting reset_activation_code, and set the target account's password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T07:16:26Z",
    "severity": "CRITICAL"
  },
  "details": "The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and performing a loose equality comparison between the supplied `reset_activation_code` POST parameter and the target user\u0027s stored `forgot_email` user meta \u2014 a check that trivially evaluates to true (`\u0027\u0027 == \u0027\u0027`) for any user who has never initiated a forgot-password request, which applies to administrators under normal conditions. This makes it possible for unauthenticated attackers to supply an arbitrary user ID via the `reset_user_id` POST parameter, bypass the activation code check entirely by omitting `reset_activation_code`, and set the target account\u0027s password to an attacker-chosen value, enabling full takeover of any account on the site, including administrator accounts.",
  "id": "GHSA-5656-6hgp-4v5v",
  "modified": "2026-06-24T09:30:45Z",
  "published": "2026-06-24T09:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12416"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/invoice-creator/tags/1.0.0/lib/user-manage-function.php#L296"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/invoice-creator/tags/1.0.0/lib/user-manage-function.php#L303"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/invoice-creator/tags/1.0.0/lib/user-manage-function.php#L52"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc0fbe84-e455-4e62-9c48-49340d08f81d?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57VM-X738-VVVH

Vulnerability from github – Published: 2022-11-17 03:30 – Updated: 2022-11-20 15:30
VLAI
Details

An issue was discovered in BACKCLICK Professional 5.9.63. Due to insecure design or lack of authentication, unauthenticated attackers can complete the password-reset process for any account and set a new password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-44004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-16T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in BACKCLICK Professional 5.9.63. Due to insecure design or lack of authentication, unauthenticated attackers can complete the password-reset process for any account and set a new password.",
  "id": "GHSA-57vm-x738-vvvh",
  "modified": "2022-11-20T15:30:17Z",
  "published": "2022-11-17T03:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44004"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-030.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58JG-CXMW-686H

Vulnerability from github – Published: 2022-04-09 00:00 – Updated: 2022-04-16 00:01
VLAI
Details

An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43498"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-08T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set.",
  "id": "GHSA-58jg-cxmw-686h",
  "modified": "2022-04-16T00:01:25Z",
  "published": "2022-04-09T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43498"
    },
    {
      "type": "WEB",
      "url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58PM-RQVV-HW49

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36708"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-06T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router.",
  "id": "GHSA-58pm-rqvv-hw49",
  "modified": "2022-05-24T19:10:18Z",
  "published": "2022-05-24T19:10:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36708"
    },
    {
      "type": "WEB",
      "url": "https://www.ayrx.me/prolink-prc2402m-multiple-vulnerabilities/#sysinit-password-reset"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5976-FHM4-832H

Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 21:32
VLAI
Details

Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-27, fixed 2025-10-31.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-10T18:18:01Z",
    "severity": "CRITICAL"
  },
  "details": "Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-27, fixed 2025-10-31.",
  "id": "GHSA-5976-fhm4-832h",
  "modified": "2026-03-10T21:32:14Z",
  "published": "2026-03-10T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69614"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ethicalrohitt/b3e6d071aac8530459e8b3a5720bb832"
    },
    {
      "type": "WEB",
      "url": "https://www.telekom.com/en/company/data-privacy-and-security/news/acknowledgements-358300#R"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59GG-H898-V8M7

Vulnerability from github – Published: 2024-03-25 09:32 – Updated: 2025-04-01 18:30
VLAI
Details

This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-25T07:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.",
  "id": "GHSA-59gg-h898-v8m7",
  "modified": "2025-04-01T18:30:38Z",
  "published": "2024-03-25T09:32:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2862"
    },
    {
      "type": "WEB",
      "url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59HH-4792-XV6G

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:14
VLAI
Details

An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-10T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user\u0027s password again during the next 24 hours without any information except the associated email address.",
  "id": "GHSA-59hh-4792-xv6g",
  "modified": "2024-04-04T01:14:07Z",
  "published": "2022-05-24T16:49:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13240"
    },
    {
      "type": "WEB",
      "url": "https://github.com/glpi-project/glpi/commit/5da9f99b2d81713b1e36016b47ce656a33648bc7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/glpi-project/glpi/commit/86a43ae47b3dd844947f40a2ffcf1a36e53dbba6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/glpi-project/glpi/compare/1783b78...8e621f6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/glpi-project/glpi/releases/tag/9.4.1"
    },
    {
      "type": "WEB",
      "url": "https://www.synacktiv.com/ressources/advisories/GLPI_9.4.0_unsafe_reset.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.