CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-RR4Q-QMWM-H86V
Vulnerability from github – Published: 2022-05-14 03:53 – Updated: 2022-05-14 03:53389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts.
{
"affected": [],
"aliases": [
"CVE-2017-7551"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-16T18:29:00Z",
"severity": "CRITICAL"
},
"details": "389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts.",
"id": "GHSA-rr4q-qmwm-h86v",
"modified": "2022-05-14T03:53:46Z",
"published": "2022-05-14T03:53:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7551"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2569"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2017-7551"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477669"
},
{
"type": "WEB",
"url": "https://pagure.io/389-ds-base/issue/49336"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V3J7-7H3R-662C
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset.
{
"affected": [],
"aliases": [
"CVE-2021-31912"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-11T13:15:00Z",
"severity": "HIGH"
},
"details": "In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset.",
"id": "GHSA-v3j7-7h3r-662c",
"modified": "2022-05-24T19:02:07Z",
"published": "2022-05-24T19:02:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31912"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/blog/2021/05/07/jetbrains-security-bulletin-q1-2021"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V5MF-VJW2-X655
Vulnerability from github – Published: 2023-06-29 18:30 – Updated: 2024-04-04 05:18The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the account.
{
"affected": [],
"aliases": [
"CVE-2023-36487"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-29T17:15:09Z",
"severity": "CRITICAL"
},
"details": "The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the account.",
"id": "GHSA-v5mf-vjw2-x655",
"modified": "2024-04-04T05:18:06Z",
"published": "2023-06-29T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36487"
},
{
"type": "WEB",
"url": "https://docu.ilias.de/ilias.php?ref_id=1719\u0026obj_id=141694\u0026obj_type=PageObject\u0026cmd=layout\u0026cmdClass=illmpresentationgui\u0026cmdNode=13g\u0026baseClass=ilLMPresentationGUI"
},
{
"type": "WEB",
"url": "https://docu.ilias.de/ilias.php?ref_id=1719\u0026obj_id=141703\u0026obj_type=PageObject\u0026cmd=layout\u0026cmdClass=illmpresentationgui\u0026cmdNode=13g\u0026baseClass=ilLMPresentationGUI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V683-RCXX-VPFF
Vulnerability from github – Published: 2023-10-10 21:30 – Updated: 2023-10-10 21:30Impact
ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL.
Patches
This bug has been patched in versions >2.27.2 beginning with 2.37.3 and 2.38.0
Workarounds
None available we advise to updated if this is needed.
References
None
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.37.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-44399"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-10T21:30:15Z",
"nvd_published_at": "2023-10-10T17:15:13Z",
"severity": "MODERATE"
},
"details": "### Impact\nZITADEL administrators can enable a setting called \"Ignoring unknown usernames\" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL.\n\n### Patches\nThis bug has been patched in versions \u003e2.27.2 beginning with [2.37.3](https://github.com/zitadel/zitadel/releases/tag/v2.37.3) and [2.38.0](https://github.com/zitadel/zitadel/releases/tag/v2.38.0)\n\n### Workarounds\nNone available we advise to updated if this is needed.\n\n### References\nNone\n",
"id": "GHSA-v683-rcxx-vpff",
"modified": "2023-10-10T21:30:15Z",
"published": "2023-10-10T21:30:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44399"
},
{
"type": "PACKAGE",
"url": "https://github.com/zitadel/zitadel"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.37.3"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "ZITADEL\u0027s password reset does not respect the \"Ignoring unknown usernames\" setting"
}
GHSA-V8C2-FC7G-2MJ8
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:02An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. When the administrator password is changed from a certain client IP address, administrative authorization remains available to any client at that IP address, leading to complete control of the router.
{
"affected": [],
"aliases": [
"CVE-2019-11414"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-22T11:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. When the administrator password is changed from a certain client IP address, administrative authorization remains available to any client at that IP address, leading to complete control of the router.",
"id": "GHSA-v8c2-fc7g-2mj8",
"modified": "2024-04-04T00:02:44Z",
"published": "2022-05-24T16:44:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11414"
},
{
"type": "WEB",
"url": "http://1.337.zone/2019/04/07/intelbras-iwr-3000n-1-5-0-unproper-de-authorization"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VCGG-HP4R-87GX
Vulnerability from github – Published: 2022-05-14 01:09 – Updated: 2024-04-25 23:16Security researcher Ali Razzaq has discovered that existing sessions are not correctly invalidated when a user changes their password in the backend or frontend.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "contao/contao"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.4.37"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "contao/contao"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0"
},
{
"fixed": "4.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "contao/core-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.4.37"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "contao/core-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0"
},
{
"fixed": "4.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "contao/core"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.5.39"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10641"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-25T23:16:25Z",
"nvd_published_at": "2019-04-17T19:29:00Z",
"severity": "CRITICAL"
},
"details": "Security researcher Ali Razzaq has discovered that existing sessions are not correctly invalidated when a user changes their password in the backend or frontend.",
"id": "GHSA-vcgg-hp4r-87gx",
"modified": "2024-04-25T23:16:25Z",
"published": "2022-05-14T01:09:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10641"
},
{
"type": "WEB",
"url": "https://github.com/contao/contao/commit/74c7dfafa0dfa5363a9463b486522d5d526e28fe"
},
{
"type": "WEB",
"url": "https://github.com/contao/contao/commit/b92e27bc7c9e59226077937f840c74ffd0f672e8"
},
{
"type": "WEB",
"url": "https://github.com/contao/core/commit/119a1b5bd9e62d27ca2838727084d04f3b7fcd32"
},
{
"type": "WEB",
"url": "https://contao.org/en/news/security-vulnerability-cve-2019-10641.html"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-10641.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-10641.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2019-10641.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Contao Does Not Invalidate Existing Sessions When Password Changes"
}
GHSA-VFQ6-HQ5R-27R6
Vulnerability from github – Published: 2020-01-16 22:35 – Updated: 2024-09-20 15:01Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "2.0"
},
{
"fixed": "2.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-19844"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2020-01-16T22:34:58Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\u0027s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)",
"id": "GHSA-vfq6-hq5r-27r6",
"modified": "2024-09-20T15:01:08Z",
"published": "2020-01-16T22:35:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4598"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4224-1"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200110-0003"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202004-17"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2020/Jan/9"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-16.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-vfq6-hq5r-27r6"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/dev/releases/security"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django Potential account hijack via password reset form"
}
GHSA-VG8H-77QG-7W2F
Vulnerability from github – Published: 2023-03-13 21:30 – Updated: 2023-03-16 18:30The Akuvox E11 password recovery webpage can be accessed without authentication, and an attacker could download the device key file. An attacker could then use this page to reset the password back to the default.
{
"affected": [],
"aliases": [
"CVE-2023-0352"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-13T21:15:00Z",
"severity": "CRITICAL"
},
"details": "The Akuvox E11 password recovery webpage can be accessed without authentication, and an attacker could download the device key file. An attacker could then use this page to reset the password back to the default.",
"id": "GHSA-vg8h-77qg-7w2f",
"modified": "2023-03-16T18:30:27Z",
"published": "2023-03-13T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0352"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-068-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJVV-4332-CJW5
Vulnerability from github – Published: 2025-07-07 18:32 – Updated: 2025-07-07 18:32IBM Engineering Requirements Management DOORS 9.7.2.9, under certain configurations, could allow a remote attacker to obtain password reset instructions of a legitimate user using man in the middle techniques.
{
"affected": [],
"aliases": [
"CVE-2024-43190"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-07T18:15:25Z",
"severity": "MODERATE"
},
"details": "IBM Engineering Requirements Management DOORS 9.7.2.9, under certain configurations, could allow a remote attacker to obtain password reset instructions of a legitimate user using man in the middle techniques.",
"id": "GHSA-vjvv-4332-cjw5",
"modified": "2025-07-07T18:32:28Z",
"published": "2025-07-07T18:32:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43190"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7238992"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VM64-H6MJ-W9F2
Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2023-12-12 03:31In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.
{
"affected": [],
"aliases": [
"CVE-2023-42481"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-12T01:15:11Z",
"severity": "HIGH"
},
"details": "In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.\n\n",
"id": "GHSA-vm64-h6mj-w9f2",
"modified": "2023-12-12T03:31:43Z",
"published": "2023-12-12T03:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42481"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3394567"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.