Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-5C37-5J7W-8MH8

Vulnerability from github – Published: 2026-06-09 18:31 – Updated: 2026-06-09 18:31
VLAI
Details

LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host's newPassword endpoint to set a new password and take over the account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T18:17:10Z",
    "severity": "HIGH"
  },
  "details": "LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target\u0027s username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host\u0027s newPassword endpoint to set a new password and take over the account.",
  "id": "GHSA-5c37-5j7w-8mh8",
  "modified": "2026-06-09T18:31:04Z",
  "published": "2026-06-09T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50635"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LimeSurvey/LimeSurvey/pull/5032"
    },
    {
      "type": "WEB",
      "url": "https://www.limesurvey.org"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/limesurvey-password-reset-host-header-injection-discloses-reset-token"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5CJR-78CQ-3WRG

Vulnerability from github – Published: 2022-05-10 00:00 – Updated: 2022-05-25 20:05
VLAI
Summary
Improper account password reset in Craft CMS
Details

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.36"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T20:05:42Z",
    "nvd_published_at": "2022-05-09T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account\u0027s password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor\u0027s position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).",
  "id": "GHSA-5cjr-78cq-3wrg",
  "modified": "2022-05-25T20:05:42Z",
  "published": "2022-05-10T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29933"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://sec-consult.com/vulnerability-lab"
    },
    {
      "type": "WEB",
      "url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper account password reset in Craft CMS"
}

GHSA-5QQ2-QMP3-F37Q

Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2025-10-15 18:31
VLAI
Details

Creativeitem Academy LMS up to and including 5.13 uses predictable password reset tokens based on Base64 encoded templates without rate limiting, allowing brute force attacks to guess valid reset tokens and compromise user accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-56748"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T15:16:04Z",
    "severity": "MODERATE"
  },
  "details": "Creativeitem Academy LMS up to and including 5.13 uses predictable password reset tokens based on Base64 encoded templates without rate limiting, allowing brute force attacks to guess valid reset tokens and compromise user accounts.",
  "id": "GHSA-5qq2-qmp3-f37q",
  "modified": "2025-10-15T18:31:50Z",
  "published": "2025-10-15T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56748"
    },
    {
      "type": "WEB",
      "url": "https://suryadina.com/academy-lms-reset-bruteforce-5q8w2e7t9y"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5VPJ-22HP-CHFG

Vulnerability from github – Published: 2025-09-29 21:30 – Updated: 2025-09-29 21:30
VLAI
Details

VMware NSX contains a weak password recovery mechanism vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially enabling brute-force attacks.

Impact: Username enumeration → credential brute force risk. Attack Vector: Remote, unauthenticated. Severity: Important. CVSSv3: 8.1 (High).

Acknowledgments: Reported by the National Security Agency.

Affected Products:VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x

NSX-T 3.x VMware Cloud Foundation (with NSX) 5.x, 4.5.x

Fixed Versions: NSX 9.0.1.0; 4.2.2.2/4.2.3.1 http://4.2.2.2/4.2.3.1 ; 4.1.2.7; NSX-T 3.2.4.3; CCF async patch (KB88287). Workarounds: None.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T19:15:35Z",
    "severity": "HIGH"
  },
  "details": "VMware NSX contains a weak password recovery mechanism vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially enabling brute-force attacks.\n\nImpact:\u00a0Username enumeration \u2192 credential brute force risk.\nAttack Vector:\u00a0Remote, unauthenticated.\nSeverity:\u00a0Important.\nCVSSv3:\u00a08.1 (High).\n\nAcknowledgments:\u00a0Reported by the National Security Agency.\n\nAffected Products:VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x\n\nNSX-T 3.x\nVMware Cloud Foundation (with NSX) 5.x, 4.5.x\n\nFixed Versions: NSX 9.0.1.0;  4.2.2.2/4.2.3.1 http://4.2.2.2/4.2.3.1 ; 4.1.2.7; NSX-T 3.2.4.3; CCF async patch (KB88287).\nWorkarounds: None.",
  "id": "GHSA-5vpj-22hp-chfg",
  "modified": "2025-09-29T21:30:26Z",
  "published": "2025-09-29T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41251"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36150"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5W3X-GFW2-FM64

Vulnerability from github – Published: 2022-05-14 03:15 – Updated: 2022-05-14 03:15
VLAI
Details

In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands. One of the available commands allows changing any user's password (including root). A low-privilege user could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-31T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands. One of the available commands allows changing any user\u0027s password (including root). A low-privilege user could abuse this feature by changing the password of the \u0027kace_support\u0027 account, which comes disabled by default but has full sudo privileges.",
  "id": "GHSA-5w3x-gfw2-fm64",
  "modified": "2022-05-14T03:15:28Z",
  "published": "2022-05-14T03:15:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11134"
    },
    {
      "type": "WEB",
      "url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-64VH-QW36-84GX

Vulnerability from github – Published: 2022-05-14 03:42 – Updated: 2022-05-14 03:42
VLAI
Details

In Center for Internet Security CIS-CAT Pro Dashboard before 1.0.4, an authenticated user is able to change an administrative user's e-mail address and send a forgot password email to themselves, thereby gaining administrative access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-31T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Center for Internet Security CIS-CAT Pro Dashboard before 1.0.4, an authenticated user is able to change an administrative user\u0027s e-mail address and send a forgot password email to themselves, thereby gaining administrative access.",
  "id": "GHSA-64vh-qw36-84gx",
  "modified": "2022-05-14T03:42:42Z",
  "published": "2022-05-14T03:42:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8916"
    },
    {
      "type": "WEB",
      "url": "https://www.cisecurity.org/cis-security-updates/incorrect-access-control-cve-2017-8916"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68F5-49RW-QGQ9

Vulnerability from github – Published: 2022-01-19 00:00 – Updated: 2022-01-26 00:03
VLAI
Details

An issue was discovered in Delta RM 1.2. It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-18T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Delta RM 1.2. It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses).",
  "id": "GHSA-68f5-49rw-qgq9",
  "modified": "2022-01-26T00:03:00Z",
  "published": "2022-01-19T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44839"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/rntcruz23/16ac2d9dfc7e32b0f57dc7b20f17cd29"
    },
    {
      "type": "WEB",
      "url": "https://www.deltarm.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6CVF-4R9P-V25Q

Vulnerability from github – Published: 2022-05-14 03:07 – Updated: 2022-05-14 03:07
VLAI
Details

Trovebox version <= 4.0.0-rc6 contains a Unsafe password reset token generation vulnerability in user component that can result in Password reset. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-26T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Trovebox version \u003c= 4.0.0-rc6 contains a Unsafe password reset token generation vulnerability in user component that can result in Password reset. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed.",
  "id": "GHSA-6cvf-4r9p-v25q",
  "modified": "2022-05-14T03:07:03Z",
  "published": "2022-05-14T03:07:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000554"
    },
    {
      "type": "WEB",
      "url": "https://telekomsecurity.github.io/2018/04/trovebox-vulnerabilities.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6M9Q-9M44-9HVQ

Vulnerability from github – Published: 2024-01-10 18:30 – Updated: 2025-11-04 21:31
VLAI
Details

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to an arbitrary user password recovery. An attacker can send an HTTP request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-49589"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-10T16:15:48Z",
    "severity": "HIGH"
  },
  "details": "An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to an arbitrary user password recovery. An attacker can send an HTTP request to trigger this vulnerability.",
  "id": "GHSA-6m9q-9m44-9hvq",
  "modified": "2025-11-04T21:31:00Z",
  "published": "2024-01-10T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49589"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1896"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1896"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6P33-RPVQ-F3C3

Vulnerability from github – Published: 2026-05-18 18:31 – Updated: 2026-05-18 18:31
VLAI
Details

An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-36438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-18T16:16:29Z",
    "severity": "MODERATE"
  },
  "details": "An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd",
  "id": "GHSA-6p33-rpvq-f3c3",
  "modified": "2026-05-18T18:31:30Z",
  "published": "2026-05-18T18:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-36438"
    },
    {
      "type": "WEB",
      "url": "https://backend.intelbras.com/sites/default/files/2023-03/Datasheet%20UNIFICADO%20-%20VIP%201230%20B.D.G4-v2.pdf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kensh1k/CVE-2026-36438/tree/main"
    },
    {
      "type": "WEB",
      "url": "https://www.intelbras.com/pt-br/camera-dome-wi-fi-vip-1230-d-w-g4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.