Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-VWC3-57VR-H373

Vulnerability from github – Published: 2023-07-20 00:30 – Updated: 2024-04-04 06:17
VLAI
Details

Weintek Weincloud v0.13.6

could allow an attacker to reset a password with the corresponding account’s JWT token only.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-19T22:15:11Z",
    "severity": "MODERATE"
  },
  "details": "\n\n\nWeintek Weincloud v0.13.6\n\n could allow an attacker to reset a password with the corresponding account\u2019s JWT token only.\n\n\n\n",
  "id": "GHSA-vwc3-57vr-h373",
  "modified": "2024-04-04T06:17:25Z",
  "published": "2023-07-20T00:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35134"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W47M-6QCR-7XG2

Vulnerability from github – Published: 2022-09-13 00:00 – Updated: 2022-09-16 00:00
VLAI
Details

A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP and BMEH*) (V3.20 and prior).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-12T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior).",
  "id": "GHSA-w47m-6qcr-7xg2",
  "modified": "2022-09-16T00:00:33Z",
  "published": "2022-09-13T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37300"
    },
    {
      "type": "WEB",
      "url": "https://www.se.com/us/en/download/document/SEVD-2022-221-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W5VV-XFCC-X3JC

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-27T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts.",
  "id": "GHSA-w5vv-xfcc-x3jc",
  "modified": "2022-05-13T01:36:54Z",
  "published": "2022-05-13T01:36:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2614"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2614"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0257.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6GX-C4X9-QJP2

Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-06-24 09:30
VLAI
Details

The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the pravel_change_password() AJAX handler — registered via wp_ajax_nopriv_pravel_change_password and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied reset_activation_code POST parameter and the target user's forgot_email user meta value; when a user has never initiated a password reset, get_user_meta() returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to admin-ajax.php with action=pravel_change_password, reset_user_id set to the target account's user ID, and new_password_custom set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T07:16:26Z",
    "severity": "CRITICAL"
  },
  "details": "The SignUp \u0026 SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler \u2014 registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users \u2014 performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user\u0027s `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account\u0027s user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.",
  "id": "GHSA-w6gx-c4x9-qjp2",
  "modified": "2026-06-24T09:30:45Z",
  "published": "2026-06-24T09:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12417"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L222"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L229"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L38"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0a617fc-da3d-4828-b027-44093dd11769?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W7V3-573J-VHR9

Vulnerability from github – Published: 2022-07-07 00:00 – Updated: 2022-07-15 00:00
VLAI
Details

An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-06T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An attacker can access to \"Forgot my password\" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not.",
  "id": "GHSA-w7v3-573j-vhr9",
  "modified": "2022-07-15T00:00:16Z",
  "published": "2022-07-07T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23172"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9XH-5F39-VQ89

Vulnerability from github – Published: 2026-05-20 15:46 – Updated: 2026-05-28 14:20
VLAI
Summary
phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration
Details

Summary

An authentication bypass vulnerability in phpMyFAQ allows any unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts. By sending a PUT request with just a valid username and associated email address to /api/user/password/update, an attacker receives a new plaintext password via email without any token verification, rate limiting, or email confirmation. This enables complete account takeover of any user, including full administrative access.

Details

File: phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php Lines: 56-130 The updatePassword() method at line 56 accepts PUT requests to /user/password/update with only username and email in the JSON body:

[Route(path: 'user/password/update', name: 'api.private.user.password', methods: ['PUT'])]

public function updatePassword(Request $request): JsonResponse
{
    $data = json_decode($request->getContent());
    $username = trim((string) Filter::filterVar($data->username, FILTER_SANITIZE_SPECIAL_CHARS));
    $email = trim((string) Filter::filterEmail($data->email));
    if ($username !== '' && $username !== '0' && ($email !== '' && $email !== '0')) {
        $user = ($this->currentUserFactory ?? CurrentUser::getCurrentUser(...))($this->configuration);
        $loginExist = $user->getUserByLogin($username);
        if ($loginExist && $email === $user->getUserData('email')) {
            // NO TOKEN CHECK
            // NO RATE LIMITING
            // NO EMAIL VERIFICATION
            $newPassword = $user->createPassword();
            $user->changePassword($newPassword);
            $mail->send(); // New password sent in plaintext
        }
    }
}


Root Causes:

  1. No time-limited cryptographic token required for password reset
  2. No rate limiting on the endpoint (allows unlimited username/email enumeration)
  3. No verification email sent to original address before reset
  4. New password sent in plaintext email without any confirmation step

PoC

Prerequisites: None (unauthenticated attack) Step 1 - Username/Email Enumeration (no rate limiting): Test with wrong email - reveals if user exists

curl -X PUT -H "Content-Type: application/json" \
  -d '{"username":"admin","email":"wrong@test.com"}' \
  http://target/phpmyfaq/api/user/password/update

Response: {"error":"The email doesn't exist..."} <- user exists but wrong email

OR

Response: {"error":"The user doesn't exist"} <- user doesn't exist

Step 2 - Password Reset (no token required):

curl -X PUT -H "Content-Type: application/json" \
  -d '{"username":"admin","email":"admin@target.com"}' \
  http://target/phpmyfaq/api/user/password/update

Response: {"success":"Email has been sent."} The new plaintext password is sent to admin@target.com

Step 3 - Account Takeover: Attacker now has valid credentials and can log in as SuperAdmin.

Impact

Aspect Details Vulnerability Type Authentication Bypass / Weak Password Recovery Mechanism (CWE-640) Attack Vector Network (unauthenticated HTTP request) Privileges Required None User Interaction None Scope Full administrative access to phpMyFAQ Confidentiality High - attacker gains full access to all user data and FAQ content Integrity High - attacker can modify all content and settings Availability High - attacker can lock out legitimate users Who is Impacted: - All phpMyFAQ administrators using default installations - Any organization using phpMyFAQ for internal knowledge bases - End users whose accounts could be compromised - Organizations relying on phpMyFAQ for customer support FAQs Attack Complexity: Very Low - no special knowledge or conditions required beyond knowing/guessing a valid username and associated email address

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmyfaq/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307",
      "CWE-359",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-20T15:46:55Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nAn authentication bypass vulnerability in phpMyFAQ allows any unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts. By sending a PUT request with just a valid username and associated email address to /api/user/password/update, an attacker receives a new plaintext password via email without any token verification, rate limiting, or email confirmation. This enables complete account takeover of any user, including full administrative access.\n\n\n### Details\nFile: phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php\nLines: 56-130\nThe updatePassword() method at line 56 accepts PUT requests to /user/password/update with only username and email in the JSON body:\n#[Route(path: \u0027user/password/update\u0027, name: \u0027api.private.user.password\u0027, methods: [\u0027PUT\u0027])]\n```php\npublic function updatePassword(Request $request): JsonResponse\n{\n    $data = json_decode($request-\u003egetContent());\n    $username = trim((string) Filter::filterVar($data-\u003eusername, FILTER_SANITIZE_SPECIAL_CHARS));\n    $email = trim((string) Filter::filterEmail($data-\u003eemail));\n    if ($username !== \u0027\u0027 \u0026\u0026 $username !== \u00270\u0027 \u0026\u0026 ($email !== \u0027\u0027 \u0026\u0026 $email !== \u00270\u0027)) {\n        $user = ($this-\u003ecurrentUserFactory ?? CurrentUser::getCurrentUser(...))($this-\u003econfiguration);\n        $loginExist = $user-\u003egetUserByLogin($username);\n        if ($loginExist \u0026\u0026 $email === $user-\u003egetUserData(\u0027email\u0027)) {\n            // NO TOKEN CHECK\n            // NO RATE LIMITING\n            // NO EMAIL VERIFICATION\n            $newPassword = $user-\u003ecreatePassword();\n            $user-\u003echangePassword($newPassword);\n            $mail-\u003esend(); // New password sent in plaintext\n        }\n    }\n}\n\n\n```\n\n### Root Causes:\n1. No time-limited cryptographic token required for password reset\n2. No rate limiting on the endpoint (allows unlimited username/email enumeration)\n3. No verification email sent to original address before reset\n4. New password sent in plaintext email without any confirmation step\n\n\n### PoC\nPrerequisites: None (unauthenticated attack)\nStep 1 - Username/Email Enumeration (no rate limiting):\nTest with wrong email - reveals if user exists\n```bash\ncurl -X PUT -H \"Content-Type: application/json\" \\\n  -d \u0027{\"username\":\"admin\",\"email\":\"wrong@test.com\"}\u0027 \\\n  http://target/phpmyfaq/api/user/password/update\n```\nResponse: {\"error\":\"The email doesn\u0027t exist...\"}  \u003c- user exists but wrong email\n\nOR\n\nResponse: {\"error\":\"The user doesn\u0027t exist\"}     \u003c- user doesn\u0027t exist\n\nStep 2 - Password Reset (no token required):\n```bash\ncurl -X PUT -H \"Content-Type: application/json\" \\\n  -d \u0027{\"username\":\"admin\",\"email\":\"admin@target.com\"}\u0027 \\\n  http://target/phpmyfaq/api/user/password/update\n```\n\nResponse: {\"success\":\"Email has been sent.\"}\nThe new plaintext password is sent to admin@target.com\n\nStep 3 - Account Takeover:\nAttacker now has valid credentials and can log in as SuperAdmin.\n\n\n\n### Impact\nAspect\tDetails\nVulnerability Type\tAuthentication Bypass / Weak Password Recovery Mechanism (CWE-640)\nAttack Vector\tNetwork (unauthenticated HTTP request)\nPrivileges Required\tNone\nUser Interaction\tNone\nScope\tFull administrative access to phpMyFAQ\nConfidentiality\tHigh - attacker gains full access to all user data and FAQ content\nIntegrity\tHigh - attacker can modify all content and settings\nAvailability\tHigh - attacker can lock out legitimate users\nWho is Impacted:\n- All phpMyFAQ administrators using default installations\n- Any organization using phpMyFAQ for internal knowledge bases\n- End users whose accounts could be compromised\n- Organizations relying on phpMyFAQ for customer support FAQs\nAttack Complexity: Very Low - no special knowledge or conditions required beyond knowing/guessing a valid username and associated email address",
  "id": "GHSA-w9xh-5f39-vq89",
  "modified": "2026-05-28T14:20:34Z",
  "published": "2026-05-20T15:46:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w9xh-5f39-vq89"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration"
}

GHSA-WGPJ-7C2J-VFJM

Vulnerability from github – Published: 2021-04-08 16:33 – Updated: 2024-09-23 16:09
VLAI
Summary
Indico Tampering with links (e.g. password reset) in sent emails
Details

Impact

An external audit of the Indico codebase has discovered a vulnerability in Indico's URL generation logic which could have allowed an attacker to make Indico send a password reset link with a valid token pointing to an attacker-controlled domain by sending that domain in the Host header. Had a user clicked such a link without realizing it does not point to Indico (and that they never requested it), it would have revealed their password reset token to the attacker, allowing them to reset the password for that user and thus take over their Indico account.

  • If the web server already enforces a canonical host name, this cannot be exploited (this was not part of the default config from the Indico setup guide)
  • If only SSO is used (LOCAL_IDENTITIES set to False), the vulnerability cannot be exploited for password reset links, but other links in emails set by Indico could be tampered with in the same way (with less problematic impact though)

Patches

You need to update to Indico 2.3.4 as soon as possible. See the docs for instructions on how to update.

Workarounds

You can configure the web server to canonicalize the URL to the hostname used for Indico. See this commit for the changes in our setup docs; they can be easily applied to your existing web server config.

For more information

If you have any questions or comments about this advisory:

  • Open a thread in our forum
  • Email us privately at indico-team@cern.ch
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "indico"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-30185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-08T16:33:24Z",
    "nvd_published_at": "2021-04-07T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn external audit of the Indico codebase has discovered a vulnerability in Indico\u0027s URL generation logic which could have allowed an attacker to make Indico send a password reset link with a valid token pointing to an attacker-controlled domain by sending that domain in the `Host` header. Had a user clicked such a link without realizing it does not point to Indico (and that they never requested it), it would have revealed their password reset token to the attacker, allowing them to reset the password for that user and thus take over their Indico account.\n\n- If the web server already enforces a canonical host name, this cannot be exploited (this was not part of the default config from the Indico setup guide)\n- If only SSO is used ([`LOCAL_IDENTITIES`](https://docs.getindico.io/en/stable/config/settings/#LOCAL_IDENTITIES) set to `False`), the vulnerability cannot be exploited for password reset links, but other links in emails set by Indico could be tampered with in the same way (with less problematic impact though)\n\n### Patches\nYou need to update to [Indico 2.3.4](https://github.com/indico/indico/releases/tag/v2.3.4) as soon as possible.\nSee [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.\n\n### Workarounds\nYou can configure the web server to canonicalize the URL to the hostname used for Indico. See [this commit](https://github.com/indico/indico/pull/4815/commits/b6bff6d004abcf07db1891e26a0eb4aa0edb7c21) for the changes in our setup docs; they can be easily applied to your existing web server config.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open a thread in [our forum](https://talk.getindico.io/)\n- Email us privately at indico-team@cern.ch",
  "id": "GHSA-wgpj-7c2j-vfjm",
  "modified": "2024-09-23T16:09:57Z",
  "published": "2021-04-08T16:33:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/security/advisories/GHSA-wgpj-7c2j-vfjm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30185"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-wgpj-7c2j-vfjm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/releases/tag/v2.3.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/indico/PYSEC-2021-18.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.shorebreaksecurity.com/blog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Indico Tampering with links (e.g. password reset) in sent emails"
}

GHSA-WJ48-VR63-9MC8

Vulnerability from github – Published: 2022-05-17 01:57 – Updated: 2022-05-17 01:57
VLAI
Details

An authenticated standard user could reset the password of the admin by altering form data. Affects kanboard before 1.0.46.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-14T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "An authenticated standard user could reset the password of the admin by altering form data. Affects kanboard before 1.0.46.",
  "id": "GHSA-wj48-vr63-9mc8",
  "modified": "2022-05-17T01:57:47Z",
  "published": "2022-05-17T01:57:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12851"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/commit/b79b18efd7a1a8b591753a4eddd473f88d55b7df"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100352"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP73-Q74Q-5P3Q

Vulnerability from github – Published: 2024-06-03 09:30 – Updated: 2024-06-03 09:30
VLAI
Details

An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-03T09:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "An unauthenticated remote attacker\u00a0can change the admin password in a\u00a0moneo appliance due to weak password recovery mechanism.\n",
  "id": "GHSA-wp73-q74q-5p3q",
  "modified": "2024-06-03T09:30:48Z",
  "published": "2024-06-03T09:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5404"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2024-028"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQ5G-2475-CMRR

Vulnerability from github – Published: 2025-03-19 06:31 – Updated: 2025-03-19 06:31
VLAI
Details

The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user's identity prior to updating their password through the 'boombox_ajax_reset_password' function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-19T05:15:39Z",
    "severity": "HIGH"
  },
  "details": "The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password through the \u0027boombox_ajax_reset_password\u0027 function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
  "id": "GHSA-wq5g-2475-cmrr",
  "modified": "2025-03-19T06:31:54Z",
  "published": "2025-03-19T06:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12295"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/boombox-viral-buzz-wordpress-theme/16596434"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c453aaf6-767d-4929-bbb3-3c0b78b0507a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.