CWE-640

High likelihood

Weak Password Recovery Mechanism for Forgotten Password

Parent: CWE-1390 - Weak Authentication

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

272 vulnerabilities with CWE-640
CVE-2018-7811 CRITICAL
Modicon M340-Quantum - Info Disclosure
CVSS 9.8
CVE-2018-7809 CRITICAL
Modicon M340-Quantum - Info Disclosure
CVSS 9.8
CVE-2018-17881 CRITICAL
D-Link DIR-823G 2018-09-19 - Unauthenticated Admin Password Change via HNAP1 SetPasswdSettings
CVSS 9.8
CVE-2018-17401 HIGH
PhonePe wallet <3.3.26 - Info Disclosure
CVSS 8.8
CVE-2018-17298 CRITICAL
Enalean Tuleap <10.5 - Info Disclosure
CVSS 9.8
CVE-2018-12579 HIGH
OXID eShop <5.3.8,6.0.x<6.0.3,6.1.x<6.1.0 - Auth Bypass
CVSS 8.1
CVE-2018-1000554 CRITICAL
Trovebox <=4.0.0-rc6 - Info Disclosure
CVSS 9.8
CVE-2018-1000501 CRITICAL
Instant Update CMS <v0.3.3 - Privilege Escalation
CVSS 9.8
CVE-2018-12421 CRITICAL
LTB Self Service Password <1.3 - Auth Bypass
CVSS 9.8
CVE-2018-8916 MEDIUM
Synology DiskStation Manager < 6.2-23739 - Authenticated Unverified Password Change
CVSS 6.3
CVE-2018-11134 HIGH
Quest KACE System Management Appliance 8.0.318 - Privilege Escalation via Password Change Command
CVSS 8.8
CVE-2018-10210 MEDIUM
Vaultize Enterprise File Sharing <17.05.31 - Info Disclosure
CVSS 5.3
CVE-2018-10081 CRITICAL
CMS Made Simple < 2.2.7 - Admin Password Reset via Weak Hash Comparison
CVSS 9.8
CVE-2018-0787 HIGH
ASP.NET Core 1.0, 1.1, 2.0 - Elevation of Privilege via Web Request Validation
CVSS 8.8
CVE-2017-2614 MEDIUM
Red Hat Enterprise Virtualization - Unauthenticated Password Update on Expired Accounts
CVSS 6.8
CVE-2017-0921 HIGH
GitLab <10.1.6-10.3.4 - Info Disclosure
CVSS 8.1
CVE-2017-12161 HIGH
Keycloak < 3.4.2 - Password Reset Token Spoofing via Hosts File Manipulation
CVSS 8.8
CVE-2017-8916 HIGH
CIS-CAT Pro Dashboard <1.0.4 - Privilege Escalation
CVSS 7.8
CVE-2017-1000141 MEDIUM
Mahara <18.10.0 - Privilege Escalation
CVSS 6.5
CVE-2017-17097 CRITICAL
GPS Tracking Software 2.x - Info Disclosure
CVSS 9.8
CVE-2017-14005 HIGH
ProMinent MultiFLEX M10a - Privilege Escalation
CVSS 8.8
CVE-2017-7551 CRITICAL
389-ds-base <1.3.5.19,1.3.6.7 - Info Disclosure
CVSS 9.8
CVE-2017-12851 HIGH
kanboard < 1.0.45 - Authenticated Password Reset to Admin via Form Data Manipulation
CVSS 8.8
CVE-2017-12850 HIGH
kanboard < 1.0.45 - Authenticated Password Reset via Form Data Manipulation
CVSS 8.8
CVE-2017-8613 HIGH
Azure AD Connect - Weak Password Recovery Mechanism for Forgotten Password
CVSS 8.1
Details
Vulnerabilities 272
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits