CWE-640

High likelihood

Weak Password Recovery Mechanism for Forgotten Password

Parent: CWE-1390 - Weak Authentication

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

272 vulnerabilities with CWE-640
CVE-2020-11027 MEDIUM
WordPress <5.4.1 - Info Disclosure
CVSS 6.1
CVE-2020-7245 CRITICAL
CTFd 2.0.0-2.2.2 - Account Takeover via Username Collision in Registration
CVSS 9.8
CVE-2019-6560 CRITICAL
Auto-Maskin RP210E, DCU210E, and Marine Pro Observer - Weak Password Recovery Mechanism
CVSS 9.1
CVE-2019-20004 HIGH
Intelbras IWR 3000N 1.8.7 - Weak Password Recovery Mechanism
CVSS 8.8
CVE-2019-19844 CRITICAL
Django < 1.11.27, 2.x < 2.2.9, 3.x < 3.0.1 - Account Takeover via Unicode Case Transformation Bypass
CVSS 9.8
CVE-2019-17392 CRITICAL
Progress Sitefinity 9.1-9.1.6185 - Weak Password Recovery Mechanism via HTTP Host Header
CVSS 9.8
CVE-2019-18818 CRITICAL
Strapi CMS Unauthenticated Password Reset
CVSS 9.8
CVE-2019-15929 CRITICAL
Craft CMS < 3.1.7 - Unauthenticated Brute Force via Elevated Session Password Prompt
CVSS 9.8
CVE-2019-15749 MEDIUM
SITOS six v6.2.1 - Weak Password Recovery Mechanism
CVSS 6.5
CVE-2019-14955 MEDIUM
JetBrains Hub < 2018.4.11436 - Weak Password Recovery Mechanism
CVSS 5.3
CVE-2019-12943 HIGH
TTLock - Weak Password Recovery Mechanism for Forgotten Password
CVSS 8.1
CVE-2019-13240 MEDIUM
GLPI < 9.4.1 - Weak Password Recovery Mechanism for Forgotten Password
CVSS 5.9
CVE-2019-10270 HIGH
Ultimate Member < 2.0.40 - Unauthenticated Arbitrary Password Reset via User ID Manipulation
CVSS 8.8
CVE-2019-3787 HIGH
Cloud Foundry UAA <73.0.0 - Info Disclosure
CVSS 8.3
CVE-2019-12476 MEDIUM
ManageEngine ADSelfService Plus < 5.0.6 - Authentication Bypass via Password Reset Keyboard Input Sequence
CVSS 6.8
CVE-2019-11414 HIGH
Intelbras IWR 3000N <1.5.0 - Privilege Escalation
CVSS 8.8
CVE-2019-11393 CRITICAL
M/Monit <3.7.3 - Privilege Escalation
CVSS 9.8
CVE-2019-10641 CRITICAL
Contao < 3.5.39 and 4.x < 4.7.3 - Weak Password Recovery Mechanism
CVSS 9.8
CVE-2018-16988 CRITICAL
Open XDMoD through 7.5.0 - Authentication Bypass via Weak Password Reset Mechanism
CVSS 9.8
CVE-2018-16529 CRITICAL
Forcepoint Email Security 8.5.0-8.5.2 - Weak Password Recovery Mechanism
CVSS 9.8
CVE-2018-19488 CRITICAL
WP-jobhunt < 2.4 - Unauthenticated Password Reset via admin-ajax.php
CVSS 9.8
CVE-2018-0696 HIGH
OpenAM 13.0-13.0.0-120 - Authenticated Weak Password Recovery Mechanism
CVSS 7.5
CVE-2018-18871 CRITICAL
Gigaset Maxwell Basic VoIP Phones 2.22.7 - Unauthenticated Admin Password Change
CVSS 9.8
CVE-2018-1000812 HIGH
Artica Integria IMS <5.0 MR56 Package 58 - Weak Password Recovery
CVSS 8.1
CVE-2018-12315 MEDIUM
ASUSTOR ADM <3.1.1 - Info Disclosure
CVSS 6.5
Details
Vulnerabilities 272
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits