CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-XR65-2GPF-FJ8V
Vulnerability from github – Published: 2022-05-17 00:26 – Updated: 2025-04-20 03:37WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.
{
"affected": [],
"aliases": [
"CVE-2017-8295"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-04T14:29:00Z",
"severity": "MODERATE"
},
"details": "WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim\u0027s e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.",
"id": "GHSA-xr65-2gpf-fj8v",
"modified": "2025-04-20T03:37:13Z",
"published": "2022-05-17T00:26:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8295"
},
{
"type": "WEB",
"url": "https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html"
},
{
"type": "WEB",
"url": "https://wpvulndb.com/vulnerabilities/8807"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/41963"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3870"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98295"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038403"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XRF9-VPRM-8M66
Vulnerability from github – Published: 2025-07-20 12:30 – Updated: 2025-07-20 12:30A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument code leads to weak password recovery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-7881"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-20T10:15:25Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument code leads to weak password recovery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-xrf9-vprm-8m66",
"modified": "2025-07-20T12:30:26Z",
"published": "2025-07-20T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7881"
},
{
"type": "WEB",
"url": "https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README20.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.316996"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.316996"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.611328"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XRFH-P66C-M56H
Vulnerability from github – Published: 2022-05-17 02:40 – Updated: 2025-04-20 03:39QNAP QTS before 4.2.6 build 20170517 has a flaw in the change password function.
{
"affected": [],
"aliases": [
"CVE-2017-7629"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-15T20:29:00Z",
"severity": "HIGH"
},
"details": "QNAP QTS before 4.2.6 build 20170517 has a flaw in the change password function.",
"id": "GHSA-xrfh-p66c-m56h",
"modified": "2025-04-20T03:39:12Z",
"published": "2022-05-17T02:40:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7629"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en-us/releasenotes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.