CWE-640

High likelihood

Weak Password Recovery Mechanism for Forgotten Password

Parent: CWE-1390 - Weak Authentication

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

272 vulnerabilities with CWE-640
CVE-2021-25957 HIGH
Dolibarr 2.8.1-13.0.2 and <14.0.0 - Account Takeover via Password Reset Link
CVSS 8.8
CVE-2021-37693 MEDIUM
Discourse < 2.7.8 - Insufficient Session Expiration via Email Verification Token
CVSS 5.3
CVE-2021-37541 MEDIUM
JetBrains Hub < 2021.1.13402 - HTML Injection in Password Reset Email
CVSS 6.1
CVE-2021-36708 HIGH
ProLink PRC2402M Firmware < 1.0.18 - Unauthenticated Password Reset via set_sys_init Function
CVSS 7.5
CVE-2021-36209 CRITICAL
JetBrains Hub <2021.1.13389 - Privilege Escalation
CVSS 9.8
CVE-2021-36804 MEDIUM
Akaunting < 2.1.13 - Password Reset Spoofing via Proxy Header Handling
CVSS 5.4
CVE-2021-33321 HIGH
Liferay Portal <7.3 - Info Disclosure
CVSS 7.5
CVE-2021-22763 CRITICAL
PowerLogic PM55xx, PM8ECC, EGX100, EGX300 - Weak Password Recovery Mechanism
CVSS 9.8
CVE-2021-28293 CRITICAL
Seceon aiSIEM <6.3.2 - Privilege Escalation
CVSS 9.8
CVE-2021-22731 CRITICAL
Modicon Managed Switch <V8.21 - Info Disclosure
CVSS 9.8
CVE-2021-31912 HIGH
JetBrains TeamCity < 2020.2.3 - Account Takeover via Weak Password Recovery Mechanism
CVSS 8.8
CVE-2021-28128 HIGH
Strapi <3.6.0 - Privilege Escalation
CVSS 8.1
CVE-2021-29080 HIGH
NETGEAR Multiple Routers and WiFi Systems - Unauthenticated Password Reset
CVSS 8.1
CVE-2021-25323 CRITICAL
MISP 2.4.136 - Weak Password Recovery Mechanism
CVSS 9.1
CVE-2020-37172 MEDIUM
AVideo Platform 8.1 - Cross-Site Request Forgery in Password Recovery Mechanism
CVSS 5.3
CVE-2020-37158 MEDIUM
AVideo Platform 8.1 - Cross-Site Request Forgery via Password Recovery Mechanism
CVSS 5.3
CVE-2020-12067 HIGH
Pilz PMC 3.x < 3.5.17 - Weak Password Recovery Mechanism
CVSS 7.5
CVE-2020-5361 MEDIUM
Dell CPG BIOS - Unauthenticated BIOS Password Reset via Unauthorized Recovery Tool
CVSS 5.1
CVE-2020-28186 HIGH
TerraMaster TOS <= 4.2.06 - Unauthenticated Account Takeover via Email Injection
CVSS 7.3
CVE-2020-27408 HIGH
OpenSIS Community Edition < 7.6 - Unauthenticated Arbitrary Password Reset via ResetUserInfo.php
CVSS 7.5
CVE-2020-27179 CRITICAL
konzept-ix publiXone <2020.015 - Privilege Escalation
CVSS 9.8
CVE-2020-25728 HIGH
Alfresco Reset Password < 1.2.0 - Unauthenticated Password Reset via Incremental Algorithm
CVSS 8.8
CVE-2020-25105 CRITICAL
eramba c2.8.1 and Enterprise < e2.19.3 - Weak Password Recovery Token
CVSS 9.8
CVE-2020-14016 MEDIUM
Navigate CMS 2.9 r1433 - User Enumeration via Forgot Password Feature
CVSS 5.3
CVE-2020-14015 HIGH
Navigate CMS 2.9 r1433 - Unauthenticated Password Reset via Missing Activation Code
CVSS 7.5
Details
Vulnerabilities 272
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits