CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-C93V-XV7Q-4W4C
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2023-04-17 18:30An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key sent by mail and the user_id parameter) to reset the password of another user. One only needs to know the user_id, which is publicly available. One just has to intercept the password modification request and modify user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2019-10270"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-21T18:15:00Z",
"severity": "HIGH"
},
"details": "An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key sent by mail and the user_id parameter) to reset the password of another user. One only needs to know the user_id, which is publicly available. One just has to intercept the password modification request and modify user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation.",
"id": "GHSA-c93v-xv7q-4w4c",
"modified": "2023-04-17T18:30:29Z",
"published": "2022-05-24T16:48:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10270"
},
{
"type": "WEB",
"url": "https://cxsecurity.com/issue/WLB-2019060101"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C9R7-WPW8-XC67
Vulnerability from github – Published: 2024-08-23 15:30 – Updated: 2024-08-23 21:30A host header injection vulnerability in Staff Appraisal System v1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This will allow attackers to arbitrarily reset other users' passwords and compromise their accounts.
{
"affected": [],
"aliases": [
"CVE-2024-42915"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-23T15:15:16Z",
"severity": "HIGH"
},
"details": "A host header injection vulnerability in Staff Appraisal System v1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This will allow attackers to arbitrarily reset other users\u0027 passwords and compromise their accounts.",
"id": "GHSA-c9r7-wpw8-xc67",
"modified": "2024-08-23T21:30:42Z",
"published": "2024-08-23T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42915"
},
{
"type": "WEB",
"url": "https://github.com/debashish-choudhury/staff-appraisal-system"
},
{
"type": "WEB",
"url": "https://github.com/soursec/CVEs/tree/main/CVE-2024-42915"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CC3R-WQMP-6H2G
Vulnerability from github – Published: 2023-01-13 00:30 – Updated: 2025-04-08 15:30The Forgotten Password functionality of Rocket TRUfusion Portal v7.9.2.1 allows remote attackers to bypass authentication and access restricted pages by validating the user's session token when the "Password forgotten?" button is clicked.
{
"affected": [],
"aliases": [
"CVE-2022-25027"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-12T23:15:00Z",
"severity": "HIGH"
},
"details": "The Forgotten Password functionality of Rocket TRUfusion Portal v7.9.2.1 allows remote attackers to bypass authentication and access restricted pages by validating the user\u0027s session token when the \"Password forgotten?\" button is clicked.",
"id": "GHSA-cc3r-wqmp-6h2g",
"modified": "2025-04-08T15:30:39Z",
"published": "2023-01-13T00:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25027"
},
{
"type": "WEB",
"url": "https://labs.nettitude.com/blog/cve-2022-25026-cve-2022-25027-vulnerabilities-in-rocket-trufusion-enterprise"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CJJJ-54W8-XMQ6
Vulnerability from github – Published: 2022-03-30 00:00 – Updated: 2022-04-05 00:00A vulnerability was found in Automatic Question Paper Generator 1.0. It has been declared as critical. An attack leads to privilege escalation. The attack can be launched remotely.
{
"affected": [],
"aliases": [
"CVE-2022-1073"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-29T06:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability was found in Automatic Question Paper Generator 1.0. It has been declared as critical. An attack leads to privilege escalation. The attack can be launched remotely.",
"id": "GHSA-cjjj-54w8-xmq6",
"modified": "2022-04-05T00:00:44Z",
"published": "2022-03-30T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1073"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.194839"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CM5V-3GC5-6W7V
Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 00:31Beehive Forum 1.5.2 contains a host header injection vulnerability in the forgot password functionality that allows attackers to manipulate password reset requests. Attackers can inject a malicious host header to intercept password reset tokens and change victim account passwords without direct authentication.
{
"affected": [],
"aliases": [
"CVE-2022-50910"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T23:15:53Z",
"severity": "HIGH"
},
"details": "Beehive Forum 1.5.2 contains a host header injection vulnerability in the forgot password functionality that allows attackers to manipulate password reset requests. Attackers can inject a malicious host header to intercept password reset tokens and change victim account passwords without direct authentication.",
"id": "GHSA-cm5v-3gc5-6w7v",
"modified": "2026-01-14T00:31:28Z",
"published": "2026-01-14T00:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50910"
},
{
"type": "WEB",
"url": "https://imgur.com/a/hVlgpCg"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/beehiveforum"
},
{
"type": "WEB",
"url": "https://www.beehiveforum.co.uk"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50923"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/beehive-forum-account-takeover"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CQ42-VHV7-XR7P
Vulnerability from github – Published: 2024-06-12 19:42 – Updated: 2024-12-20 17:54In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his username.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "24.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-1722"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-12T19:42:21Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "In any realm set with \"User (Self) registration\" a user that is registered with a username in email format can be \"locked out\" (denied from logging in) using his username.",
"id": "GHSA-cq42-vhv7-xr7p",
"modified": "2024-12-20T17:54:23Z",
"published": "2024-06-12T19:42:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-cq42-vhv7-xr7p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1722"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/29603"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/29603#issuecomment-2127499627"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/f9708037383aa98741e4850447de64dc4a0d4b4e"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-1722"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265389"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Keycloak Denial of Service via account lockout"
}
GHSA-CQ63-2G3G-QJF5
Vulnerability from github – Published: 2025-02-28 09:30 – Updated: 2025-02-28 09:30The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 8.1. This is due to the directorist_generate_password_reset_pin_code() and reset_user_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.
{
"affected": [],
"aliases": [
"CVE-2025-1570"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-28T09:15:12Z",
"severity": "HIGH"
},
"details": "The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 8.1. This is due to the directorist_generate_password_reset_pin_code() and reset_user_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.",
"id": "GHSA-cq63-2g3g-qjf5",
"modified": "2025-02-28T09:30:55Z",
"published": "2025-02-28T09:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1570"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3246340/directorist"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/853562ed-7f2e-453c-b3d0-67c90bd0231f?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CQ6M-74R4-X77G
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2024-02-28 21:03Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-5172"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-28T21:03:01Z",
"nvd_published_at": "2017-10-24T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links.",
"id": "GHSA-cq6m-74r4-x77g",
"modified": "2024-02-28T21:03:01Z",
"published": "2022-05-13T01:07:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5172"
},
{
"type": "WEB",
"url": "https://github.com/cloudfoundry/uaa/commit/cd31cc397fe17389d95b83d6a9caa46eebc54faf"
},
{
"type": "PACKAGE",
"url": "https://github.com/cloudfoundry/uaa"
},
{
"type": "WEB",
"url": "https://pivotal.io/security/cve-2015-5170-5173"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Cloud Foundry Runtime has Weak Password Recovery Mechanism for Forgotten Password"
}
GHSA-CQMJ-26M2-WVGH
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the change password function of the web server
{
"affected": [],
"aliases": [
"CVE-2018-7811"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-30T19:29:00Z",
"severity": "CRITICAL"
},
"details": "An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the change password function of the web server",
"id": "GHSA-cqmj-26m2-wvgh",
"modified": "2022-05-13T01:53:59Z",
"published": "2022-05-13T01:53:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7811"
},
{
"type": "WEB",
"url": "https://security.cse.iitk.ac.in/responsible-disclosure"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-327-01"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2018-38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CXH2-HXRP-WMGX
Vulnerability from github – Published: 2023-10-29 03:30 – Updated: 2023-10-29 03:30Weak Password Recovery Mechanism for Forgotten Password in GitHub repository linkstackorg/linkstack prior to v4.2.9.
{
"affected": [],
"aliases": [
"CVE-2023-5840"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-29T01:15:41Z",
"severity": "MODERATE"
},
"details": "Weak Password Recovery Mechanism for Forgotten Password in GitHub repository linkstackorg/linkstack prior to v4.2.9.",
"id": "GHSA-cxh2-hxrp-wmgx",
"modified": "2023-10-29T03:30:30Z",
"published": "2023-10-29T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5840"
},
{
"type": "WEB",
"url": "https://github.com/linkstackorg/linkstack/commit/fe7b99eae88f9e4c4cd4b00bab372cbf4b584b16"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/8042d8c3-650e-4c0d-9146-d9ccf6082b30"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.