Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-RR4Q-QMWM-H86V

Vulnerability from github – Published: 2022-05-14 03:53 – Updated: 2022-05-14 03:53
VLAI
Details

389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-16T18:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts.",
  "id": "GHSA-rr4q-qmwm-h86v",
  "modified": "2022-05-14T03:53:46Z",
  "published": "2022-05-14T03:53:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7551"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2569"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2017-7551"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477669"
    },
    {
      "type": "WEB",
      "url": "https://pagure.io/389-ds-base/issue/49336"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3J7-7H3R-662C

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02
VLAI
Details

In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-11T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset.",
  "id": "GHSA-v3j7-7h3r-662c",
  "modified": "2022-05-24T19:02:07Z",
  "published": "2022-05-24T19:02:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31912"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/blog/2021/05/07/jetbrains-security-bulletin-q1-2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V5MF-VJW2-X655

Vulnerability from github – Published: 2023-06-29 18:30 – Updated: 2024-04-04 05:18
VLAI
Details

The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-29T17:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the account.",
  "id": "GHSA-v5mf-vjw2-x655",
  "modified": "2024-04-04T05:18:06Z",
  "published": "2023-06-29T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36487"
    },
    {
      "type": "WEB",
      "url": "https://docu.ilias.de/ilias.php?ref_id=1719\u0026obj_id=141694\u0026obj_type=PageObject\u0026cmd=layout\u0026cmdClass=illmpresentationgui\u0026cmdNode=13g\u0026baseClass=ilLMPresentationGUI"
    },
    {
      "type": "WEB",
      "url": "https://docu.ilias.de/ilias.php?ref_id=1719\u0026obj_id=141703\u0026obj_type=PageObject\u0026cmd=layout\u0026cmdClass=illmpresentationgui\u0026cmdNode=13g\u0026baseClass=ilLMPresentationGUI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V683-RCXX-VPFF

Vulnerability from github – Published: 2023-10-10 21:30 – Updated: 2023-10-10 21:30
VLAI
Summary
ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting
Details

Impact

ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL.

Patches

This bug has been patched in versions >2.27.2 beginning with 2.37.3 and 2.38.0

Workarounds

None available we advise to updated if this is needed.

References

None

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.37.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-44399"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-10T21:30:15Z",
    "nvd_published_at": "2023-10-10T17:15:13Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nZITADEL administrators can enable a setting called \"Ignoring unknown usernames\" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL.\n\n### Patches\nThis bug has been patched in versions \u003e2.27.2 beginning with [2.37.3](https://github.com/zitadel/zitadel/releases/tag/v2.37.3) and [2.38.0](https://github.com/zitadel/zitadel/releases/tag/v2.38.0)\n\n### Workarounds\nNone available we advise to updated if this is needed.\n\n### References\nNone\n",
  "id": "GHSA-v683-rcxx-vpff",
  "modified": "2023-10-10T21:30:15Z",
  "published": "2023-10-10T21:30:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44399"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.37.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ZITADEL\u0027s password reset does not respect the \"Ignoring unknown usernames\" setting"
}

GHSA-V8C2-FC7G-2MJ8

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:02
VLAI
Details

An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. When the administrator password is changed from a certain client IP address, administrative authorization remains available to any client at that IP address, leading to complete control of the router.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-22T11:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. When the administrator password is changed from a certain client IP address, administrative authorization remains available to any client at that IP address, leading to complete control of the router.",
  "id": "GHSA-v8c2-fc7g-2mj8",
  "modified": "2024-04-04T00:02:44Z",
  "published": "2022-05-24T16:44:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11414"
    },
    {
      "type": "WEB",
      "url": "http://1.337.zone/2019/04/07/intelbras-iwr-3000n-1-5-0-unproper-de-authorization"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VCGG-HP4R-87GX

Vulnerability from github – Published: 2022-05-14 01:09 – Updated: 2024-04-25 23:16
VLAI
Summary
Contao Does Not Invalidate Existing Sessions When Password Changes
Details

Security researcher Ali Razzaq has discovered that existing sessions are not correctly invalidated when a user changes their password in the backend or frontend.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "contao/contao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "contao/contao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.0"
            },
            {
              "fixed": "4.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "contao/core-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "contao/core-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.0"
            },
            {
              "fixed": "4.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "contao/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.5.39"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10641"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T23:16:25Z",
    "nvd_published_at": "2019-04-17T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Security researcher Ali Razzaq has discovered that existing sessions are not correctly invalidated when a user changes their password in the backend or frontend.",
  "id": "GHSA-vcgg-hp4r-87gx",
  "modified": "2024-04-25T23:16:25Z",
  "published": "2022-05-14T01:09:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10641"
    },
    {
      "type": "WEB",
      "url": "https://github.com/contao/contao/commit/74c7dfafa0dfa5363a9463b486522d5d526e28fe"
    },
    {
      "type": "WEB",
      "url": "https://github.com/contao/contao/commit/b92e27bc7c9e59226077937f840c74ffd0f672e8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/contao/core/commit/119a1b5bd9e62d27ca2838727084d04f3b7fcd32"
    },
    {
      "type": "WEB",
      "url": "https://contao.org/en/news/security-vulnerability-cve-2019-10641.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-10641.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-10641.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2019-10641.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Contao Does Not Invalidate Existing Sessions When Password Changes"
}

GHSA-VFQ6-HQ5R-27R6

Vulnerability from github – Published: 2020-01-16 22:35 – Updated: 2024-09-20 15:01
VLAI
Summary
Django Potential account hijack via password reset form
Details

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0"
            },
            {
              "fixed": "2.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-19844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-16T22:34:58Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\u0027s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)",
  "id": "GHSA-vfq6-hq5r-27r6",
  "modified": "2024-09-20T15:01:08Z",
  "published": "2020-01-16T22:35:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2"
    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4598"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4224-1"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200110-0003"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202004-17"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2020/Jan/9"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-16.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-vfq6-hq5r-27r6"
    },
    {
      "type": "WEB",
      "url": "https://docs.djangoproject.com/en/dev/releases/security"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Django Potential account hijack via password reset form"
}

GHSA-VG8H-77QG-7W2F

Vulnerability from github – Published: 2023-03-13 21:30 – Updated: 2023-03-16 18:30
VLAI
Details

The Akuvox E11 password recovery webpage can be accessed without authentication, and an attacker could download the device key file. An attacker could then use this page to reset the password back to the default.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-13T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Akuvox E11 password recovery webpage can be accessed without authentication, and an attacker could download the device key file. An attacker could then use this page to reset the password back to the default.",
  "id": "GHSA-vg8h-77qg-7w2f",
  "modified": "2023-03-16T18:30:27Z",
  "published": "2023-03-13T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0352"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-068-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJVV-4332-CJW5

Vulnerability from github – Published: 2025-07-07 18:32 – Updated: 2025-07-07 18:32
VLAI
Details

IBM Engineering Requirements Management DOORS 9.7.2.9, under certain configurations, could allow a remote attacker to obtain password reset instructions of a legitimate user using man in the middle techniques.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-07T18:15:25Z",
    "severity": "MODERATE"
  },
  "details": "IBM Engineering Requirements Management DOORS 9.7.2.9, under certain configurations, could allow a remote attacker to obtain password reset instructions of a legitimate user using man in the middle techniques.",
  "id": "GHSA-vjvv-4332-cjw5",
  "modified": "2025-07-07T18:32:28Z",
  "published": "2025-07-07T18:32:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43190"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7238992"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VM64-H6MJ-W9F2

Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2023-12-12 03:31
VLAI
Details

In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-12T01:15:11Z",
    "severity": "HIGH"
  },
  "details": "In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.\n\n",
  "id": "GHSA-vm64-h6mj-w9f2",
  "modified": "2023-12-12T03:31:43Z",
  "published": "2023-12-12T03:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42481"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3394567"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.