CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-WVR4-W6CW-4PX8
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-02-01 21:27In Craft CMS before 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-15929"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-01T21:27:09Z",
"nvd_published_at": "2019-10-24T16:15:00Z",
"severity": "CRITICAL"
},
"details": "In Craft CMS before 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.",
"id": "GHSA-wvr4-w6cw-4px8",
"modified": "2024-02-01T21:27:09Z",
"published": "2022-05-24T16:59:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15929"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/blob/3.1.7/CHANGELOG-v3.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Craft CMS possibility of brute force attempts"
}
GHSA-WWGW-FWM7-PQ39
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37An Unverified Password Change issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When setting a new password for a user, the application does not require the user to know the original password. An attacker who is authenticated could change a user's password, enabling future access and possible configuration changes.
{
"affected": [],
"aliases": [
"CVE-2017-14005"
],
"database_specific": {
"cwe_ids": [
"CWE-620",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-17T22:29:00Z",
"severity": "HIGH"
},
"details": "An Unverified Password Change issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When setting a new password for a user, the application does not require the user to know the original password. An attacker who is authenticated could change a user\u0027s password, enabling future access and possible configuration changes.",
"id": "GHSA-wwgw-fwm7-pq39",
"modified": "2022-05-13T01:37:41Z",
"published": "2022-05-13T01:37:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14005"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-285-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101259"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XC68-XQHG-HR75
Vulnerability from github – Published: 2022-04-30 00:02 – Updated: 2022-04-30 00:02A password reset vulnerability has been discovered in Forcepoint Email Security 8.5.x. The password reset URL can be used after the intended expiration period or after the URL has already been used to reset a password.
{
"affected": [],
"aliases": [
"CVE-2018-16529"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-28T17:29:00Z",
"severity": "CRITICAL"
},
"details": "A password reset vulnerability has been discovered in Forcepoint Email Security 8.5.x. The password reset URL can be used after the intended expiration period or after the URL has already been used to reset a password.",
"id": "GHSA-xc68-xqhg-hr75",
"modified": "2022-04-30T00:02:14Z",
"published": "2022-04-30T00:02:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16529"
},
{
"type": "WEB",
"url": "https://help.forcepoint.com/security/CVE/CVE-2018-16529.html"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2018/Nov/23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XH8Q-Q4R3-6X29
Vulnerability from github – Published: 2021-12-14 00:00 – Updated: 2021-12-17 00:00In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2021-39919"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-13T16:15:00Z",
"severity": "MODERATE"
},
"details": "In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.",
"id": "GHSA-xh8q-q4r3-6x29",
"modified": "2021-12-17T00:00:52Z",
"published": "2021-12-14T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39919"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39919.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/342445"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XJ35-RHXX-W86C
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2024-11-24 15:31A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could allow an attacker administrator level access to a device.
{
"affected": [],
"aliases": [
"CVE-2021-22763"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T16:15:00Z",
"severity": "CRITICAL"
},
"details": "A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could allow an attacker administrator level access to a device.",
"id": "GHSA-xj35-rhxx-w86c",
"modified": "2024-11-24T15:31:37Z",
"published": "2022-05-24T19:05:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22763"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-159-02.pdf"
},
{
"type": "WEB",
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02%2Chttp://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
},
{
"type": "WEB",
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02,http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJVV-99GP-JGRM
Vulnerability from github – Published: 2022-12-12 12:30 – Updated: 2022-12-12 12:30In IFM Moneo Appliance with version up to 1.9.3 an unauthenticated remote attacker can reset the administrator password by only supplying the serial number.
{
"affected": [],
"aliases": [
"CVE-2022-3485"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T12:15:00Z",
"severity": "CRITICAL"
},
"details": "In IFM Moneo Appliance with version up to 1.9.3 an unauthenticated remote attacker can reset the administrator password by only supplying the serial number.",
"id": "GHSA-xjvv-99gp-jgrm",
"modified": "2022-12-12T12:30:30Z",
"published": "2022-12-12T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3485"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2022-050"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XMXC-2JC7-W66M
Vulnerability from github – Published: 2022-12-26 21:30 – Updated: 2025-04-14 18:31In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user's password may be changed by an attacker without knowledge of the current password.
{
"affected": [],
"aliases": [
"CVE-2020-12067"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-26T19:15:00Z",
"severity": "HIGH"
},
"details": "In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user\u0027s password may be changed by an attacker without knowledge of the current password.",
"id": "GHSA-xmxc-2jc7-w66m",
"modified": "2025-04-14T18:31:42Z",
"published": "2022-12-26T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12067"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2021-061"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XPXQ-36MX-CWHX
Vulnerability from github – Published: 2022-05-14 02:01 – Updated: 2022-05-14 02:01An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts.
{
"affected": [],
"aliases": [
"CVE-2018-12579"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-20T22:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts.",
"id": "GHSA-xpxq-36mx-cwhx",
"modified": "2022-05-14T02:01:44Z",
"published": "2022-05-14T02:01:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12579"
},
{
"type": "WEB",
"url": "https://bugs.oxid-esales.com/view.php?id=6818"
},
{
"type": "WEB",
"url": "https://oxidforge.org/en/security-bulletin-2018-002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQ5P-RR5F-VJC5
Vulnerability from github – Published: 2026-02-16 18:31 – Updated: 2026-02-16 18:31A security flaw has been discovered in Intelbras VIP 3260 Z IA 2.840.00IB005.0.T. Affected by this vulnerability is an unknown functionality of the file /OutsideCmd. The manipulation results in weak password recovery. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitation appears to be difficult. It is recommended to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2026-2564"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-16T17:18:09Z",
"severity": "CRITICAL"
},
"details": "A security flaw has been discovered in Intelbras VIP 3260 Z IA 2.840.00IB005.0.T. Affected by this vulnerability is an unknown functionality of the file /OutsideCmd. The manipulation results in weak password recovery. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitation appears to be difficult. It is recommended to upgrade the affected component.",
"id": "GHSA-xq5p-rr5f-vjc5",
"modified": "2026-02-16T18:31:28Z",
"published": "2026-02-16T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2564"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.346171"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.346171"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.741776"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XQX5-9RJR-CJQ9
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Seceon aiSIEM before 6.3.2 (build 585) is prone to an unauthenticated account takeover vulnerability in the Forgot Password feature. The lack of correct configuration leads to recovery of the password reset link generated via the password reset functionality, and thus an unauthenticated attacker can set an arbitrary password for any user.
{
"affected": [],
"aliases": [
"CVE-2021-28293"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-08T18:15:00Z",
"severity": "CRITICAL"
},
"details": "Seceon aiSIEM before 6.3.2 (build 585) is prone to an unauthenticated account takeover vulnerability in the Forgot Password feature. The lack of correct configuration leads to recovery of the password reset link generated via the password reset functionality, and thus an unauthenticated attacker can set an arbitrary password for any user.",
"id": "GHSA-xqx5-9rjr-cjq9",
"modified": "2022-05-24T19:04:19Z",
"published": "2022-05-24T19:04:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28293"
},
{
"type": "WEB",
"url": "https://0xdb9.in/2021/06/07/cve-2021-28293.html"
},
{
"type": "WEB",
"url": "https://www.seceon.com/advanced-siem-aisiem"
},
{
"type": "WEB",
"url": "http://aisiem.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.