Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-6P8M-QJVM-Q2JF

Vulnerability from github – Published: 2026-07-11 06:31 – Updated: 2026-07-11 06:31
VLAI
Details

The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email during customer profile synchronization from webhook events. This makes it possible for unauthenticated attackers to change linked user's email addresses, including administrators if the administrator account is linked to a SureCart customer record, and leverage that to reset the user's password and gain access to their account if the customer ID is known.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7655"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-11T06:16:10Z",
    "severity": "HIGH"
  },
  "details": "The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like email during customer profile synchronization from webhook events. This makes it possible for unauthenticated attackers to change linked user\u0027s email addresses, including administrators if the administrator account is linked to a SureCart customer record, and leverage that to reset the user\u0027s password and gain access to their account if the customer ID is known.",
  "id": "GHSA-6p8m-qjvm-q2jf",
  "modified": "2026-07-11T06:31:16Z",
  "published": "2026-07-11T06:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7655"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3532438/surecart"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e19f5f7b-6698-4275-a362-15e5441e0fa9?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6Q5R-2GFW-G2W4

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37
VLAI
Details

Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Email Injection in TerraMaster TOS \u003c= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover.",
  "id": "GHSA-6q5r-2gfw-g2w4",
  "modified": "2022-05-24T17:37:15Z",
  "published": "2022-05-24T17:37:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28186"
    },
    {
      "type": "WEB",
      "url": "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://www.terra-master.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6Q5V-82V5-MPF9

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

Weak Password Recovery Mechanism for Forgotten Password vulnerability exists on Modicon Managed Switch MCSESM and MCSESP V8.21 and prior which could cause an unauthorized password change through HTTP / HTTPS when basic user information is known by a remote attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22731"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-26T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Weak Password Recovery Mechanism for Forgotten Password vulnerability exists on Modicon Managed Switch MCSESM* and MCSESP* V8.21 and prior which could cause an unauthorized password change through HTTP / HTTPS when basic user information is known by a remote attacker.",
  "id": "GHSA-6q5v-82v5-mpf9",
  "modified": "2022-05-24T19:03:17Z",
  "published": "2022-05-24T19:03:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22731"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6RRR-4JQJ-5947

Vulnerability from github – Published: 2026-07-07 18:30 – Updated: 2026-07-07 18:30
VLAI
Details

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-07T17:16:35Z",
    "severity": "CRITICAL"
  },
  "details": "Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.",
  "id": "GHSA-6rrr-4jqj-5947",
  "modified": "2026-07-07T18:30:42Z",
  "published": "2026-07-07T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13019"
    },
    {
      "type": "WEB",
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/june-2026-arcgis-security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6XC2-MJ39-Q599

Vulnerability from github – Published: 2019-12-02 18:20 – Updated: 2022-08-02 15:09
VLAI
Summary
Strapi allows unauthenticated attacker to reset admin password without valid reset token
Details

Versions of strapi prior to 3.0.0-beta.17.5 are vulnerable to Privilege Escalation. The password reset routes allows an unauthenticated attacker to reset an admin's password without providing a valid password reset token.

Recommendation

Upgrade to version 3.0.0-beta.17.5 or later.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.0-beta.17.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "strapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0-beta.17.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-18818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-12-02T17:36:24Z",
    "nvd_published_at": "2019-11-07T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Versions of `strapi` prior to 3.0.0-beta.17.5 are vulnerable to Privilege Escalation. The password reset routes allows an unauthenticated attacker to reset an admin\u0027s password without providing a valid password reset token.\n\n\n## Recommendation\n\nUpgrade to version 3.0.0-beta.17.5 or later.",
  "id": "GHSA-6xc2-mj39-q599",
  "modified": "2022-08-02T15:09:07Z",
  "published": "2019-12-02T18:20:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/pull/4443"
    },
    {
      "type": "WEB",
      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18818"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1311"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Strapi allows unauthenticated attacker to reset admin password without valid reset token"
}

GHSA-734X-3WJX-2XXP

Vulnerability from github – Published: 2024-01-13 15:30 – Updated: 2024-01-13 15:30
VLAI
Details

A vulnerability classified as problematic has been found in Huaxia ERP up to 3.1. Affected is an unknown function of the file src/main/java/com/jsh/erp/controller/UserController.java. The manipulation leads to weak password recovery. It is possible to launch the attack remotely. Upgrading to version 3.2 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-250596.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-13T15:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic has been found in Huaxia ERP up to 3.1. Affected is an unknown function of the file src/main/java/com/jsh/erp/controller/UserController.java. The manipulation leads to weak password recovery. It is possible to launch the attack remotely. Upgrading to version 3.2 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-250596.",
  "id": "GHSA-734x-3wjx-2xxp",
  "modified": "2024-01-13T15:30:23Z",
  "published": "2024-01-13T15:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0491"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laoquanshi/puppy/blob/main/Logic%20loopholes%20in%20Huaxia%20ERP%20can%20lead%20to%20unauthorized%20access2.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.250596"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.250596"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-739H-RW2P-GGHV

Vulnerability from github – Published: 2026-01-01 00:31 – Updated: 2026-01-01 00:31
VLAI
Details

A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-31T22:15:48Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-739h-rw2p-gghv",
  "modified": "2026-01-01T00:31:25Z",
  "published": "2026-01-01T00:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15398"
    },
    {
      "type": "WEB",
      "url": "https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq"
    },
    {
      "type": "WEB",
      "url": "https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq#-span--strong-step-1--trigger-password-reset-for-victim--strong---span-"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.339207"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.339207"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.720129"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-748X-222R-QC52

Vulnerability from github – Published: 2022-05-17 01:22 – Updated: 2025-04-20 03:43
VLAI
Details

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrator users to change the admin password by intercepting an outgoing password change request, and changing the username parameter from "support" to "admin".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-7257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-24T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrator users to change the admin password by intercepting an outgoing password change request, and changing the username parameter from \"support\" to \"admin\".",
  "id": "GHSA-748x-222r-qc52",
  "modified": "2025-04-20T03:43:49Z",
  "published": "2022-05-17T01:22:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7257"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/38772"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/134336/ZTE-ADSL-Authorization-Bypass-Information-Disclosure.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/134493/ZTE-ADSL-ZXV10-W300-Authorization-Disclosure-Backdoor.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2015/Nov/48"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-75R8-6X58-82P6

Vulnerability from github – Published: 2024-11-14 12:31 – Updated: 2024-11-14 12:31
VLAI
Details

IBM Security SOAR 51.0.1.0 and earlier contains a mechanism for users to recover or change their passwords without knowing the original password, but the user account must be compromised prior to the weak recovery mechanism.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-14T12:15:18Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security SOAR 51.0.1.0 and earlier contains a mechanism for users to recover or change their passwords without knowing the original password, but the user account must be compromised prior to the weak recovery mechanism.",
  "id": "GHSA-75r8-6x58-82p6",
  "modified": "2024-11-14T12:31:03Z",
  "published": "2024-11-14T12:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45670"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7172206"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-78WQ-6GCV-W28R

Vulnerability from github – Published: 2026-02-13 22:49 – Updated: 2026-02-13 22:49
VLAI
Summary
Known affected by Account Takeover via Password Reset Token Leakage
Details

Summary

A Critical Broken Authentication vulnerability exists in Known 1.6.2. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox.

Details

The vulnerability occurs within the password reset flow. When a reset is requested, the application generates a verification code. However, the subsequent reset page (/account/password/reset/) incorrectly reflects this code back to the client in the HTML source code.

Specifically, the sensitive token is embedded in:

Because this page is accessible via a GET request using the victim's email as a parameter, an attacker can programmatically extract the token.

PoC

  1. The attacker asks for a password reset for the victim

image

image(1)

  1. The attacker makes the following curl command on the terminal using the victim's email, and is able to get the code that was sent as an hidden field in the HTML. image(2)

  2. With this code, the attacker is able to use it in order to reset the victim password. image(3)

image(4)

  1. The attacker is able to login with the new password.

image(5)

image(6)

Impact

  • An attacker can compromise any account on the platform, including administrative accounts, resulting in total loss of Confidentiality, Integrity, and Availability.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.6.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "idno/known"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26273"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-13T22:49:27Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA Critical Broken Authentication vulnerability exists in Known 1.6.2. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user\u0027s email, leading to full Account Takeover (ATO) without requiring access to the victim\u0027s email inbox.\n\n### Details\nThe vulnerability occurs within the password reset flow. When a reset is requested, the application generates a verification code. However, the subsequent reset page (/account/password/reset/) incorrectly reflects this code back to the client in the HTML source code.\n\nSpecifically, the sensitive token is embedded in:\n\u003cinput type=\"hidden\" name=\"code\" value=\"[SECRET_TOKEN]\"\u003e\n\nBecause this page is accessible via a GET request using the victim\u0027s email as a parameter, an attacker can programmatically extract the token.\n\n### PoC\n1. The attacker asks for a password reset for the victim\n\n\u003cimg width=\"1328\" height=\"580\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0197907e-f10b-4e6d-989e-f25c408862cd\" /\u003e\n\n\u003cimg width=\"1139\" height=\"452\" alt=\"image(1)\" src=\"https://github.com/user-attachments/assets/9a317b27-b56a-4663-9965-d3e660713f4e\" /\u003e\n\n\n2. The attacker makes the following curl command on the terminal using the victim\u0027s email, and is able to get the code that was sent as an hidden field in the HTML.\n\u003cimg width=\"917\" height=\"220\" alt=\"image(2)\" src=\"https://github.com/user-attachments/assets/af89ba3b-de56-4437-84b3-c1feb56d2348\" /\u003e\n\n3. With this code, the attacker is able to use it in order to reset the victim password.\n\u003cimg width=\"1335\" height=\"711\" alt=\"image(3)\" src=\"https://github.com/user-attachments/assets/498b8a2e-9eb2-4b50-bc35-26b0f2764c8d\" /\u003e\n\n\u003cimg width=\"1258\" height=\"524\" alt=\"image(4)\" src=\"https://github.com/user-attachments/assets/d1304dc3-bf56-4ec7-920c-ecce502db6b0\" /\u003e\n\n4. The attacker is able to login with the new password.\n\n\u003cimg width=\"1514\" height=\"631\" alt=\"image(5)\" src=\"https://github.com/user-attachments/assets/2533032e-6f0d-45c8-9fe1-881bfedebcc4\" /\u003e\n\n\u003cimg width=\"1528\" height=\"647\" alt=\"image(6)\" src=\"https://github.com/user-attachments/assets/a6e9144c-cc96-493d-8780-9156c299a192\" /\u003e\n\n\n\n### Impact\n- An attacker can compromise any account on the platform, including administrative accounts, resulting in total loss of Confidentiality, Integrity, and Availability.",
  "id": "GHSA-78wq-6gcv-w28r",
  "modified": "2026-02-13T22:49:27Z",
  "published": "2026-02-13T22:49:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/idno/known/security/advisories/GHSA-78wq-6gcv-w28r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/idno/known"
    },
    {
      "type": "WEB",
      "url": "https://github.com/idno/known/releases/tag/1.6.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Known affected by Account Takeover via Password Reset Token Leakage"
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.