CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-PQ4Q-5J29-P25C
Vulnerability from github – Published: 2024-10-13 06:30 – Updated: 2024-10-13 06:30A vulnerability classified as problematic was found in QileCMS up to 1.1.3. This vulnerability affects the function sendEmail of the file /qilecms/user/controller/Forget.php of the component Verification Code Handler. The manipulation leads to weak password recovery. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-9907"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-13T05:15:02Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic was found in QileCMS up to 1.1.3. This vulnerability affects the function sendEmail of the file /qilecms/user/controller/Forget.php of the component Verification Code Handler. The manipulation leads to weak password recovery. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-pq4q-5j29-p25c",
"modified": "2024-10-13T06:30:28Z",
"published": "2024-10-13T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9907"
},
{
"type": "WEB",
"url": "https://note.zhaoj.in/share/PZZ7IeudhULs"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.280234"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.280234"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.418417"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PQJH-4HFV-GW8H
Vulnerability from github – Published: 2022-05-14 03:49 – Updated: 2022-05-14 03:49gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php.
{
"affected": [],
"aliases": [
"CVE-2017-17097"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-02T15:29:00Z",
"severity": "CRITICAL"
},
"details": "gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php.",
"id": "GHSA-pqjh-4hfv-gw8h",
"modified": "2022-05-14T03:49:06Z",
"published": "2022-05-14T03:49:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17097"
},
{
"type": "WEB",
"url": "https://gist.github.com/pak0s/ea7a80c2614d9cd43cfb8230c65c9fec"
},
{
"type": "WEB",
"url": "https://s1.gps-server.net/changelog.txt"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43431"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQJP-C8RC-7C88
Vulnerability from github – Published: 2022-05-14 03:31 – Updated: 2022-05-14 03:31CMS Made Simple (CMSMS) through 2.2.6 contains an admin password reset vulnerability because data values are improperly compared, as demonstrated by a hash beginning with the "0e" substring.
{
"affected": [],
"aliases": [
"CVE-2018-10081"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-13T05:29:00Z",
"severity": "CRITICAL"
},
"details": "CMS Made Simple (CMSMS) through 2.2.6 contains an admin password reset vulnerability because data values are improperly compared, as demonstrated by a hash beginning with the \"0e\" substring.",
"id": "GHSA-pqjp-c8rc-7c88",
"modified": "2022-05-14T03:31:30Z",
"published": "2022-05-14T03:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10081"
},
{
"type": "WEB",
"url": "https://github.com/itodaro/cve/blob/master/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQM7-CVX7-969J
Vulnerability from github – Published: 2025-07-07 18:32 – Updated: 2025-07-08 18:31flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.
{
"affected": [],
"aliases": [
"CVE-2025-43931"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-07T16:15:23Z",
"severity": "CRITICAL"
},
"details": "flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.",
"id": "GHSA-pqm7-cvx7-969j",
"modified": "2025-07-08T18:31:22Z",
"published": "2025-07-07T18:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43931"
},
{
"type": "WEB",
"url": "https://gist.github.com/BrookeYangRui/19fcc6c19df7bb4d8437476c609a6129"
},
{
"type": "WEB",
"url": "https://github.com/MaxHalford/flask-boilerplate/blob/a170e7cec605906801680567c4279b30ccd9630b/app/views/user.py#L103-L126"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PR5M-WXJ4-MR3R
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable Cleartext Transmission of Password vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. The Change Password functionality of the Web Application transmits the password in cleartext. An attacker capable of intercepting this traffic is able to obtain valid credentials.
{
"affected": [],
"aliases": [
"CVE-2016-8716"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-12T19:59:00Z",
"severity": "HIGH"
},
"details": "An exploitable Cleartext Transmission of Password vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. The Change Password functionality of the Web Application transmits the password in cleartext. An attacker capable of intercepting this traffic is able to obtain valid credentials.",
"id": "GHSA-pr5m-wxj4-mr3r",
"modified": "2022-05-13T01:01:09Z",
"published": "2022-05-13T01:01:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8716"
},
{
"type": "WEB",
"url": "http://www.talosintelligence.com/reports/TALOS-2016-0230"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PX9X-6GXM-MW3G
Vulnerability from github – Published: 2023-06-28 15:30 – Updated: 2024-04-04 05:14D-Link DIR-823G firmware version 1.02B05 has a password reset vulnerability, which originates from the SetMultipleActions API, allowing unauthorized attackers to reset the WEB page management password.
{
"affected": [],
"aliases": [
"CVE-2023-26615"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-28T15:15:10Z",
"severity": "HIGH"
},
"details": "D-Link DIR-823G firmware version 1.02B05 has a password reset vulnerability, which originates from the SetMultipleActions API, allowing unauthorized attackers to reset the WEB page management password.",
"id": "GHSA-px9x-6gxm-mw3g",
"modified": "2024-04-04T05:14:22Z",
"published": "2023-06-28T15:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26615"
},
{
"type": "WEB",
"url": "https://github.com/726232111/VulIoT/tree/main/D-Link/DIR823G%20V1.0.2B05/HNAP1"
},
{
"type": "WEB",
"url": "https://github.com/726232111/VulIoT/tree/main/D-Link/DIR823G%20V1.0.2B05/HNAP1/SetMultipleActions"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q2HP-4WM7-PWX5
Vulnerability from github – Published: 2022-05-14 02:01 – Updated: 2022-05-14 02:01** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by exploiting its Forgot Password feature. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots.
{
"affected": [],
"aliases": [
"CVE-2018-17401"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-23T22:29:00Z",
"severity": "HIGH"
},
"details": "** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by exploiting its Forgot Password feature. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots.",
"id": "GHSA-q2hp-4wm7-pwx5",
"modified": "2022-05-14T02:01:19Z",
"published": "2022-05-14T02:01:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17401"
},
{
"type": "WEB",
"url": "https://github.com/magicj3lly/appexploits/blob/master/PhonePe%20Authentication%20Bypass-2.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q664-V9R4-QMRG
Vulnerability from github – Published: 2024-08-06 06:30 – Updated: 2024-08-06 06:30HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users (given their email address is known). When these poisoned links get accessed (e.g. manually by the victim or automatically by an email client software), the password reset token is leaked to the malicious actor, allowing them to set a new password for the victim's account.This potentially leads to account takeover attacks.HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-6203"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-06T06:15:35Z",
"severity": "HIGH"
},
"details": "HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users (given their email address is known). When these poisoned links get accessed (e.g. manually by the victim or automatically by an email client software), the password reset token is leaked to the malicious actor, allowing them to set a new password for the victim\u0027s account.This potentially leads to account takeover attacks.HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability.",
"id": "GHSA-q664-v9r4-qmrg",
"modified": "2024-08-06T06:30:38Z",
"published": "2024-08-06T06:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6203"
},
{
"type": "WEB",
"url": "https://haloitsm.com/guides/article/?kbid=2155"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QCJ2-5Q38-5458
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19Missing password verification in the web interface on Gigaset Maxwell Basic VoIP phones with firmware 2.22.7 would allow a remote attacker (in the same network as the device) to change the admin password without authentication (and without knowing the original password).
{
"affected": [],
"aliases": [
"CVE-2018-18871"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-20T21:29:00Z",
"severity": "CRITICAL"
},
"details": "Missing password verification in the web interface on Gigaset Maxwell Basic VoIP phones with firmware 2.22.7 would allow a remote attacker (in the same network as the device) to change the admin password without authentication (and without knowing the original password).",
"id": "GHSA-qcj2-5q38-5458",
"modified": "2022-05-13T01:19:41Z",
"published": "2022-05-13T01:19:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18871"
},
{
"type": "WEB",
"url": "https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Gigaset_Maxwell.pdf?_=1541431343"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QGWW-6VQ6-RM44
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
{
"affected": [],
"aliases": [
"CVE-2021-25961"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-29T14:15:00Z",
"severity": "HIGH"
},
"details": "In \u201cSuiteCRM\u201d application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.",
"id": "GHSA-qgww-6vq6-rm44",
"modified": "2022-05-24T22:28:54Z",
"published": "2022-05-24T22:28:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25961"
},
{
"type": "WEB",
"url": "https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513"
},
{
"type": "WEB",
"url": "https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25961"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.