CWE-640

High likelihood

Weak Password Recovery Mechanism for Forgotten Password

Parent: CWE-1390 - Weak Authentication

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

272 vulnerabilities with CWE-640
CVE-2025-2093 LOW
PHPGurukul Online Library Management System 3.0 - Weak Password Recovery Mechanism in /change-password.php
CVSS 3.1
CVE-2025-1570 HIGH
Directorist < 8.1 - Unauthenticated Account Takeover via Weak Password Reset OTP Brute Force
CVSS 8.1
CVE-2025-1231 MEDIUM
Dovolations Server <2024.3.10.0 - Privilege Escalation
CVSS 5.4
CVE-2025-22144 CRITICAL
NamelessMC < 2.1.3 - Authenticated Account Takeover via Password Reset Bypass
CVSS 9.8
CVE-2025-0331 MEDIUM
YunzMall <= 2.4.2 - Weak Password Recovery via ResetpwdController pwd Parameter
CVSS 5.3
CVE-2024-32642 HIGH
MasaCMS < 7.2.8 - Account Takeover via Host Header Poisoning
CVSS 8.8
CVE-2024-43190 MEDIUM
IBM Engineering Requirements Management DOORS 9.7.2.9 - Info Disclo...
CVSS 5.9
CVE-2024-12295 HIGH
BoomBox Theme Extensions <1.8.0 - Privilege Escalation
CVSS 8.8
CVE-2024-12604 MEDIUM
Tap&Sign App <V.1.025 - Info Disclosure
CVSS 6.5
CVE-2024-11350 CRITICAL
AdForest <5.1.6 - Privilege Escalation
CVSS 9.8
CVE-2024-53552 CRITICAL
CrushFTP 10.0.0-10.8.2 and 11.0.0-11.2.2 - Account Takeover via Weak Password Recovery Mechanism
CVSS 9.8
CVE-2024-47547 CRITICAL
Ruijie Reyee OS <2.320.x - Info Disclosure
CVSS 9.4
CVE-2024-11103 CRITICAL
Contest Gallery < 24.0.8 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism
CVSS 9.8
CVE-2024-45670 MEDIUM
IBM Security SOAR < 51.0.2.0 - Weak Password Recovery Mechanism
CVSS 5.6
CVE-2024-50356 NONE
frappe/press - Weak Password Recovery Mechanism for Forgotten Password
CVE-2024-48428 CRITICAL
Olivegroup Olivevle - Password Reset Weakness
CVSS 9.8
CVE-2024-9302 HIGH
App Builder < 5.3.7 - Unauthenticated Account Takeover via OTP Brute Force
CVSS 8.1
CVE-2024-9305 HIGH
AppPresser - Mobile App Framework <= 4.4.4 - Unauthenticated Privilege Escalation via Password Reset OTP Brute Force
CVSS 8.1
CVE-2024-9907 LOW
QileCMS <= 1.1.3 - Weak Password Recovery via Verification Code Handler
CVSS 3.7
CVE-2024-45980 HIGH
MEANStore 1.0 - Host Header Injection
CVSS 8.8
CVE-2024-8878 CRITICAL
Riello Netman 204 Firmware <= 4.05 - Weak Password Recovery Mechanism
CVSS 9.8
CVE-2024-8692 MEDIUM
TDuckCloud TDuckPro <6.3 - Weak Password Recovery
CVSS 5.3
CVE-2024-42915 HIGH
Staff Appraisal System v1.0 - Host Header Injection
CVSS 8.0
CVE-2024-6203 HIGH
HaloITSM <2.146.1 - Password Reset Poisoning
CVSS 8.3
CVE-2024-38287 CRITICAL
R-HUB TurboMeeting <8.x - Info Disclosure
CVSS 9.8
Details
Vulnerabilities 272
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits