CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-J27G-R58Q-624W
Vulnerability from github – Published: 2022-05-17 02:46 – Updated: 2024-04-25 22:30Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.2976"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-8385"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-25T22:30:26Z",
"nvd_published_at": "2017-05-01T06:59:00Z",
"severity": "MODERATE"
},
"details": "Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.",
"id": "GHSA-j27g-r58q-624w",
"modified": "2024-04-25T22:30:26Z",
"published": "2022-05-17T02:46:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8385"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/38c594badc8efc468b6162ec921d645011a50d35"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/blob/2.6.2976/CHANGELOG.md#security"
},
{
"type": "WEB",
"url": "https://twitter.com/CraftCMS/status/857743080224473088"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Craft CMS subject to URL forgery"
}
GHSA-J3V3-CJMX-765G
Vulnerability from github – Published: 2026-07-07 18:30 – Updated: 2026-07-09 15:32A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user’s password remains unchanged.
{
"affected": [],
"aliases": [
"CVE-2026-13020"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T17:16:35Z",
"severity": "HIGH"
},
"details": "A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user\u2019s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user\u2019s password remains unchanged.",
"id": "GHSA-j3v3-cjmx-765g",
"modified": "2026-07-09T15:32:20Z",
"published": "2026-07-07T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13020"
},
{
"type": "WEB",
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/june-2026-arcgis-security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J593-2446-M968
Vulnerability from github – Published: 2026-05-01 06:30 – Updated: 2026-05-01 06:30A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some unknown functionality of the file /usr/bin/httpd. This manipulation causes weak password recovery. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized.
{
"affected": [],
"aliases": [
"CVE-2026-7554"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T06:16:32Z",
"severity": "LOW"
},
"details": "A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some unknown functionality of the file /usr/bin/httpd. This manipulation causes weak password recovery. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized.",
"id": "GHSA-j593-2446-m968",
"modified": "2026-05-01T06:30:24Z",
"published": "2026-05-01T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7554"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/805642"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/360362"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/360362/cti"
},
{
"type": "WEB",
"url": "https://www.dlink.com"
},
{
"type": "WEB",
"url": "https://www.yuque.com/iam0range/rle72q/dhs1zsbgtm1ne0y1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J6PG-H597-GCX9
Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-09-26 21:31A host header injection vulnerability in MEANStore 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts.
{
"affected": [],
"aliases": [
"CVE-2024-45980"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T17:15:03Z",
"severity": "HIGH"
},
"details": "A host header injection vulnerability in MEANStore 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users\u0027 passwords and compromise their accounts.",
"id": "GHSA-j6pg-h597-gcx9",
"modified": "2024-09-26T21:31:11Z",
"published": "2024-09-26T18:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45980"
},
{
"type": "WEB",
"url": "https://github.com/soursec/CVEs/tree/main/CVE-2024-45980"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JFCH-M2X3-2V66
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2025-06-27 21:40Insecure default configuration in portal services implementation before 5.11.0 in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:com.liferay.portal.impl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.11.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-33321"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-27T21:40:15Z",
"nvd_published_at": "2021-08-03T19:15:00Z",
"severity": "HIGH"
},
"details": "Insecure default configuration in portal services implementation before 5.11.0 in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.",
"id": "GHSA-jfch-m2x3-2v66",
"modified": "2025-06-27T21:40:15Z",
"published": "2022-05-24T19:09:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33321"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/06df28c5ad618afed967fa485418e6cc29c70f38"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/37de1d78d9b1c4a473e3233a6ea146c741075e18"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://help.liferay.com/hc/en-us/articles/360050785632"
},
{
"type": "WEB",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Liferay Portal and Liferay DXP insecure default configuration"
}
GHSA-JGH6-GFM4-CJ58
Vulnerability from github – Published: 2024-03-01 15:31 – Updated: 2024-03-01 15:31Dell Secure Connect Gateway (SCG) Policy Manager, version 5.10+, contain a weak password recovery mechanism for forgotten passwords. An adjacent network low privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change.
{
"affected": [],
"aliases": [
"CVE-2024-24903"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-01T14:15:53Z",
"severity": "HIGH"
},
"details": "Dell Secure Connect Gateway (SCG) Policy Manager, version 5.10+, contain a weak password recovery mechanism for forgotten passwords. An adjacent network low privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change.",
"id": "GHSA-jgh6-gfm4-cj58",
"modified": "2024-03-01T15:31:38Z",
"published": "2024-03-01T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24903"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000222330/dsa-2024-077-security-update-for-dell-secure-connect-gateway-policy-manager-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHW6-RCQ8-2VXJ
Vulnerability from github – Published: 2025-08-19 21:30 – Updated: 2025-08-20 18:30Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks This vulnerability affects Firefox for iOS < 142.
{
"affected": [],
"aliases": [
"CVE-2025-55030"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-19T21:15:28Z",
"severity": "MODERATE"
},
"details": "Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks This vulnerability affects Firefox for iOS \u003c 142.",
"id": "GHSA-jhw6-rcq8-2vxj",
"modified": "2025-08-20T18:30:20Z",
"published": "2025-08-19T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55030"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1976304"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-68"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJFR-89C6-M7CF
Vulnerability from github – Published: 2024-06-06 18:30 – Updated: 2024-06-06 18:30In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.
{
"affected": [],
"aliases": [
"CVE-2024-5277"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-06T18:15:20Z",
"severity": "MODERATE"
},
"details": "In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim\u0027s account. The issue lies in the backend\u0027s handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.",
"id": "GHSA-jjfr-89c6-m7cf",
"modified": "2024-06-06T18:30:58Z",
"published": "2024-06-06T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5277"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/6aaba769-d99c-48cf-90d2-7abad984213d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JPMW-83XJ-PHGP
Vulnerability from github – Published: 2022-05-14 01:48 – Updated: 2022-05-14 01:48On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 SetPasswdSettings commands without authentication to trigger an admin password change.
{
"affected": [],
"aliases": [
"CVE-2018-17881"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-03T20:29:00Z",
"severity": "CRITICAL"
},
"details": "On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 SetPasswdSettings commands without authentication to trigger an admin password change.",
"id": "GHSA-jpmw-83xj-phgp",
"modified": "2022-05-14T01:48:30Z",
"published": "2022-05-14T01:48:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17881"
},
{
"type": "WEB",
"url": "https://xz.aliyun.com/t/2834#toc-5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPV9-5PVW-6MC2
Vulnerability from github – Published: 2023-04-28 12:30 – Updated: 2024-04-04 03:43This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to a weak password reset mechanism at the Milesight NVR web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http requests on the targeted device.
Successful exploitation of this vulnerability could allow remote attacker to account takeover on the targeted device.
{
"affected": [],
"aliases": [
"CVE-2023-30466"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-28T11:15:08Z",
"severity": "CRITICAL"
},
"details": "This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to a weak password reset mechanism at the Milesight NVR web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http requests on the targeted device.\n\nSuccessful exploitation of this vulnerability could allow remote attacker to account takeover on the targeted device.\n\n\n\n\n\n\n\n\n\n\n",
"id": "GHSA-jpv9-5pvw-6mc2",
"modified": "2024-04-04T03:43:24Z",
"published": "2023-04-28T12:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30466"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2023-0121"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.