Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-7C6J-GM9G-QHCJ

Vulnerability from github – Published: 2022-05-14 03:18 – Updated: 2022-05-14 03:18
VLAI
Details

An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain their own account (changing username, changing primary email address, deleting account). The correct behavior was to either prompt them for their password and/or send a warning to their primary email address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000141"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-30T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user\u0027s ability to maintain their own account (changing username, changing primary email address, deleting account). The correct behavior was to either prompt them for their password and/or send a warning to their primary email address.",
  "id": "GHSA-7c6j-gm9g-qhcj",
  "modified": "2022-05-14T03:18:33Z",
  "published": "2022-05-14T03:18:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000141"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/mahara/+bug/1422492"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7FG8-FWGF-G9X2

Vulnerability from github – Published: 2024-10-25 15:31 – Updated: 2024-11-15 00:31
VLAI
Details

An issue in Olive VLE allows an attacker to obtain sensitive information via the reset password function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48428"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-25T15:15:18Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in Olive VLE allows an attacker to obtain sensitive information via the reset password function.",
  "id": "GHSA-7fg8-fwgf-g9x2",
  "modified": "2024-11-15T00:31:50Z",
  "published": "2024-10-25T15:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48428"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40powerful-/account-takeover-ato-via-the-reset-password-cve-2024-48428-84892d6211d6"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/h7w/full-account-takeover-via-password-reset-link-manipulation-840fb9402967"
    },
    {
      "type": "WEB",
      "url": "https://www.linkedin.com/posts/said-al-ghammari-301972285_0day-bugbountytips-bugbountytip-activity-7227418100034412544-2ocu"
    },
    {
      "type": "WEB",
      "url": "https://www.olivevle.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7FRC-FVV8-6VW2

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

A vulnerability was determined in Tiandy Easy7 Integrated Management Platform 7.17.0. This issue affects some unknown processing of the file /rest/user/updateUserPassword of the component API Endpoint. Executing a manipulation can lead to weak password recovery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-25T16:16:20Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was determined in Tiandy Easy7 Integrated Management Platform 7.17.0. This issue affects some unknown processing of the file /rest/user/updateUserPassword of the component API Endpoint. Executing a manipulation can lead to weak password recovery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-7frc-fvv8-6vw2",
  "modified": "2026-05-26T13:30:47Z",
  "published": "2026-05-26T13:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9466"
    },
    {
      "type": "WEB",
      "url": "https://ucn9h68n9289.feishu.cn/wiki/DRghw6X8piOtClkjBkHcfgvtnPx?from=from_copylink"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/813990"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/365447"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/365447/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7GM6-W7MX-58CR

Vulnerability from github – Published: 2026-05-04 09:31 – Updated: 2026-06-18 20:07
VLAI
Summary
phpBB has Password Reset Link Poisoning via Host Header injection
Details

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpbb/phpbb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.3.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpbb/phpbb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-a1"
            },
            {
              "fixed": "4.0.0-a2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.0.0-a1"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T20:07:10Z",
    "nvd_published_at": "2026-05-04T07:15:59Z",
    "severity": "HIGH"
  },
  "details": "phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.",
  "id": "GHSA-7gm6-w7mx-58cr",
  "modified": "2026-06-18T20:07:10Z",
  "published": "2026-05-04T09:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29199"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3543246"
    },
    {
      "type": "WEB",
      "url": "https://blog.phpbb.com/2026/04/27/phpbb-4-0-0-a2-release"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/phpbb/phpbb-app"
    },
    {
      "type": "WEB",
      "url": "https://www.phpbb.com/community/viewtopic.php?t=2671024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpBB has Password Reset Link Poisoning via Host Header injection"
}

GHSA-7GXX-VCPP-M3J9

Vulnerability from github – Published: 2024-01-02 03:30 – Updated: 2024-01-02 03:30
VLAI
Details

A vulnerability classified as problematic has been found in HuiRan Host Reseller System up to 2.0.0. Affected is an unknown function of the file /user/index/findpass?do=4 of the component HTTP POST Request Handler. The manipulation leads to weak password recovery. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249444.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-02T01:15:08Z",
    "severity": "LOW"
  },
  "details": "A vulnerability classified as problematic has been found in HuiRan Host Reseller System up to 2.0.0. Affected is an unknown function of the file /user/index/findpass?do=4 of the component HTTP POST Request Handler. The manipulation leads to weak password recovery. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249444.",
  "id": "GHSA-7gxx-vcpp-m3j9",
  "modified": "2024-01-02T03:30:30Z",
  "published": "2024-01-02T03:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0186"
    },
    {
      "type": "WEB",
      "url": "https://note.zhaoj.in/share/WwPWWizD2Spk"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.249444"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.249444"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JMP-283P-H6XJ

Vulnerability from github – Published: 2025-06-23 21:31 – Updated: 2025-06-23 21:31
VLAI
Details

Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application. Was ZDI-CAN-27104.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-21T01:15:28Z",
    "severity": "CRITICAL"
  },
  "details": "Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application. Was ZDI-CAN-27104.",
  "id": "GHSA-7jmp-283p-h6xj",
  "modified": "2025-06-23T21:31:49Z",
  "published": "2025-06-23T21:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6216"
    },
    {
      "type": "WEB",
      "url": "https://alltena.com/en/resources/release-notes/release-notes-for-release-8-1-4-and-release-7-5-2"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-410"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7R43-V6HM-QRJH

Vulnerability from github – Published: 2023-03-21 18:30 – Updated: 2023-03-28 15:30
VLAI
Details

An insecure password reset issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & Android v1.4.4 service via insecure expiry mechanism.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-21T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An insecure password reset issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS \u0026 Android v1.4.4 service via insecure expiry mechanism.",
  "id": "GHSA-7r43-v6hm-qrjh",
  "modified": "2023-03-28T15:30:16Z",
  "published": "2023-03-21T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45637"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WithSecureLabs/megafeis-palm/tree/main/CVE-2022-45637"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7R79-MRP6-8MHQ

Vulnerability from github – Published: 2022-03-02 00:00 – Updated: 2022-03-10 16:00
VLAI
Summary
Rate limit missing in microweber
Details

Microweber prior to version 1.3 does not rate limit password reset emails.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "microweber/microweber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-02T21:22:22Z",
    "nvd_published_at": "2022-03-01T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microweber prior to version 1.3 does not rate limit password reset emails.",
  "id": "GHSA-7r79-mrp6-8mhq",
  "modified": "2022-03-10T16:00:56Z",
  "published": "2022-03-02T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0777"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microweber/microweber/commit/a3944cf9d1d8c41a48297ddc98302934e2511b0f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/microweber/microweber"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/b36be8cd-544f-42bd-990d-aa1a46df44d7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rate limit missing in microweber"
}

GHSA-82X3-QMXQ-6MG5

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

Missing verification of a password in ASUSTOR ADM version 3.1.1 allows attackers to change account passwords without entering the current password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-04T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Missing verification of a password in ASUSTOR ADM version 3.1.1 allows attackers to change account passwords without entering the current password.",
  "id": "GHSA-82x3-qmxq-6mg5",
  "modified": "2022-05-13T01:49:33Z",
  "published": "2022-05-13T01:49:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12315"
    },
    {
      "type": "WEB",
      "url": "https://blog.securityevaluators.com/over-a-dozen-vulnerabilities-discovered-in-asustor-as-602t-8dd5832a82cc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-835R-F6JF-2VW3

Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30
VLAI
Details

TP-Link Tapo C210 Password Recovery Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of TP-Link Tapo C210 IP cameras. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the password recovery mechanism. The issue results from reliance upon the secrecy of the password derivation algorithm when generating a recovery password. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-20484.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T02:15:34Z",
    "severity": "HIGH"
  },
  "details": "TP-Link Tapo C210 Password Recovery Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of TP-Link Tapo C210 IP cameras. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the password recovery mechanism. The issue results from reliance upon the secrecy of the password derivation algorithm when generating a recovery password. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-20484.",
  "id": "GHSA-835r-f6jf-2vw3",
  "modified": "2024-05-03T03:30:52Z",
  "published": "2024-05-03T03:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35717"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-895"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.