CWE-640

High likelihood

Weak Password Recovery Mechanism for Forgotten Password

Parent: CWE-1390 - Weak Authentication

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

272 vulnerabilities with CWE-640
CVE-2022-47377 CRITICAL
SICK SIM2000ST <1.13.4 - Privilege Escalation
CVSS 9.8
CVE-2022-3485 CRITICAL
IFM Moneo Appliance < 1.9.3 - Unauthenticated Password Reset via Serial Number
CVSS 9.8
CVE-2022-44004 CRITICAL
BACKCLICK Professional <5.9.63 - Auth Bypass
CVSS 9.8
CVE-2022-37300 CRITICAL
EcoStruxure Control Expert < 15.1 - Weak Password Recovery Mechanism for Forgotten Password
CVSS 9.8
CVE-2022-34530 MEDIUM
Backdrop CMS < 1.22.0 - Username Enumeration via Password Reset Request
CVSS 5.3
CVE-2022-23172 MEDIUM
Priority < 22.0 - User Enumeration via Forgot Password Feature
CVSS 5.5
CVE-2022-29174 HIGH
Countly Server <22.03.7, <21.11.4 - Info Disclosure
CVSS 8.1
CVE-2022-29933 HIGH
Craft CMS < 3.7.36 - Unauthenticated Account Takeover via Password Reset Poisoning
CVSS 8.8
CVE-2022-24892 MEDIUM
Shopware 5.0.4-5.7.8 - Weak Password Recovery Mechanism for Forgotten Password
CVSS 6.4
CVE-2022-27157 CRITICAL
PHP Pearweb < 1.32.0 - Password Reset Weakness
CVSS 9.8
CVE-2022-1073 HIGH
Automatic Question Paper Generator 1.0 - Weak Password Recovery Mechanism
CVSS 7.3
CVE-2022-0777 HIGH
microweber/microweber <1.3 - Info Disclosure
CVSS 7.5
CVE-2022-23619 MEDIUM
XWiki < 12.10.9, 13.5RC1-13.6RC1 - Unauthenticated User Enumeration via Password Reset Form
CVSS 5.3
CVE-2022-23855 CRITICAL
Saviynt EIC <5.5 SP2.x - Auth Bypass
CVSS 9.8
CVE-2022-22691 MEDIUM
Umbraco CMS < 9.2.0 - Password Reset Token Disclosure via Host Header Manipulation
CVSS 6.8
CVE-2021-29038 MEDIUM
Liferay Portal 7.2.0-7.3.5 and Liferay DXP < 7.3 FP1 - Password Reminder Answer Exposure
CVSS 6.3
CVE-2021-36436 MEDIUM
Mobicint Backend for Credit Unions <3 - Info Disclosure
CVSS 5.3
CVE-2021-43498 HIGH
ATutor 2.2.4 - Weak Password Recovery Mechanism via Password Reminder Parameters
CVSS 7.5
CVE-2021-27654 HIGH
Pega Infinity 8.2.1-8.6.1 - Weak Password Recovery Mechanism for Forgotten Password
CVSS 7.8
CVE-2021-44839 MEDIUM
Delta RM 1.2 - Weak Password Recovery Mechanism via send-mail.json Endpoint
CVSS 6.5
CVE-2021-39919 MEDIUM
GitLab 14.0-14.3.5, 14.4-14.4.3, 14.5-14.5.1 - Weak Password Recovery Mechanism via Token Logging
CVSS 4.4
CVE-2021-44037 HIGH
Team Password Manager < 10.135.236 - Password Reset Poisoning
CVSS 7.5
CVE-2021-39899 LOW
GitLab < 14.1.7 - Weak Password Recovery Mechanism via Brute Force Attack
CVSS 2.9
CVE-2021-25961 HIGH
SuiteCRM 7.1.7-7.10.31 and 7.11-beta-7.11.20 - Account Takeover via Uninvalidated Password Reset Links
CVSS 8.0
CVE-2021-36095 MEDIUM
OTRS <6.0.1, >7.0.28 - Info Disclosure
CVSS 5.3
Details
Vulnerabilities 272
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits