Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-C93V-XV7Q-4W4C

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2023-04-17 18:30
VLAI
Details

An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key sent by mail and the user_id parameter) to reset the password of another user. One only needs to know the user_id, which is publicly available. One just has to intercept the password modification request and modify user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-10270"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-21T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key sent by mail and the user_id parameter) to reset the password of another user. One only needs to know the user_id, which is publicly available. One just has to intercept the password modification request and modify user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation.",
  "id": "GHSA-c93v-xv7q-4w4c",
  "modified": "2023-04-17T18:30:29Z",
  "published": "2022-05-24T16:48:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10270"
    },
    {
      "type": "WEB",
      "url": "https://cxsecurity.com/issue/WLB-2019060101"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C9R7-WPW8-XC67

Vulnerability from github – Published: 2024-08-23 15:30 – Updated: 2024-08-23 21:30
VLAI
Details

A host header injection vulnerability in Staff Appraisal System v1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This will allow attackers to arbitrarily reset other users' passwords and compromise their accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42915"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-23T15:15:16Z",
    "severity": "HIGH"
  },
  "details": "A host header injection vulnerability in Staff Appraisal System v1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This will allow attackers to arbitrarily reset other users\u0027 passwords and compromise their accounts.",
  "id": "GHSA-c9r7-wpw8-xc67",
  "modified": "2024-08-23T21:30:42Z",
  "published": "2024-08-23T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42915"
    },
    {
      "type": "WEB",
      "url": "https://github.com/debashish-choudhury/staff-appraisal-system"
    },
    {
      "type": "WEB",
      "url": "https://github.com/soursec/CVEs/tree/main/CVE-2024-42915"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CC3R-WQMP-6H2G

Vulnerability from github – Published: 2023-01-13 00:30 – Updated: 2025-04-08 15:30
VLAI
Details

The Forgotten Password functionality of Rocket TRUfusion Portal v7.9.2.1 allows remote attackers to bypass authentication and access restricted pages by validating the user's session token when the "Password forgotten?" button is clicked.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-12T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Forgotten Password functionality of Rocket TRUfusion Portal v7.9.2.1 allows remote attackers to bypass authentication and access restricted pages by validating the user\u0027s session token when the \"Password forgotten?\" button is clicked.",
  "id": "GHSA-cc3r-wqmp-6h2g",
  "modified": "2025-04-08T15:30:39Z",
  "published": "2023-01-13T00:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25027"
    },
    {
      "type": "WEB",
      "url": "https://labs.nettitude.com/blog/cve-2022-25026-cve-2022-25027-vulnerabilities-in-rocket-trufusion-enterprise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJJJ-54W8-XMQ6

Vulnerability from github – Published: 2022-03-30 00:00 – Updated: 2022-04-05 00:00
VLAI
Details

A vulnerability was found in Automatic Question Paper Generator 1.0. It has been declared as critical. An attack leads to privilege escalation. The attack can be launched remotely.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-29T06:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability was found in Automatic Question Paper Generator 1.0. It has been declared as critical. An attack leads to privilege escalation. The attack can be launched remotely.",
  "id": "GHSA-cjjj-54w8-xmq6",
  "modified": "2022-04-05T00:00:44Z",
  "published": "2022-03-30T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1073"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.194839"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CM5V-3GC5-6W7V

Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 00:31
VLAI
Details

Beehive Forum 1.5.2 contains a host header injection vulnerability in the forgot password functionality that allows attackers to manipulate password reset requests. Attackers can inject a malicious host header to intercept password reset tokens and change victim account passwords without direct authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T23:15:53Z",
    "severity": "HIGH"
  },
  "details": "Beehive Forum 1.5.2 contains a host header injection vulnerability in the forgot password functionality that allows attackers to manipulate password reset requests. Attackers can inject a malicious host header to intercept password reset tokens and change victim account passwords without direct authentication.",
  "id": "GHSA-cm5v-3gc5-6w7v",
  "modified": "2026-01-14T00:31:28Z",
  "published": "2026-01-14T00:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50910"
    },
    {
      "type": "WEB",
      "url": "https://imgur.com/a/hVlgpCg"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/beehiveforum"
    },
    {
      "type": "WEB",
      "url": "https://www.beehiveforum.co.uk"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50923"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/beehive-forum-account-takeover"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CQ42-VHV7-XR7P

Vulnerability from github – Published: 2024-06-12 19:42 – Updated: 2024-12-20 17:54
VLAI
Summary
Keycloak Denial of Service via account lockout
Details

In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his username.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-1722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-12T19:42:21Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "In any realm set with \"User (Self) registration\" a user that is registered with a username in email format can be \"locked out\" (denied from logging in) using his username.",
  "id": "GHSA-cq42-vhv7-xr7p",
  "modified": "2024-12-20T17:54:23Z",
  "published": "2024-06-12T19:42:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-cq42-vhv7-xr7p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1722"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/issues/29603"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/issues/29603#issuecomment-2127499627"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/f9708037383aa98741e4850447de64dc4a0d4b4e"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1722"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265389"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak Denial of Service via account lockout"
}

GHSA-CQ63-2G3G-QJF5

Vulnerability from github – Published: 2025-02-28 09:30 – Updated: 2025-02-28 09:30
VLAI
Details

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 8.1. This is due to the directorist_generate_password_reset_pin_code() and reset_user_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1570"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-28T09:15:12Z",
    "severity": "HIGH"
  },
  "details": "The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 8.1. This is due to the directorist_generate_password_reset_pin_code() and reset_user_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.",
  "id": "GHSA-cq63-2g3g-qjf5",
  "modified": "2025-02-28T09:30:55Z",
  "published": "2025-02-28T09:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1570"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3246340/directorist"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/853562ed-7f2e-453c-b3d0-67c90bd0231f?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQ6M-74R4-X77G

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2024-02-28 21:03
VLAI
Summary
Cloud Foundry Runtime has Weak Password Recovery Mechanism for Forgotten Password
Details

Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-5172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-28T21:03:01Z",
    "nvd_published_at": "2017-10-24T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links.",
  "id": "GHSA-cq6m-74r4-x77g",
  "modified": "2024-02-28T21:03:01Z",
  "published": "2022-05-13T01:07:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5172"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudfoundry/uaa/commit/cd31cc397fe17389d95b83d6a9caa46eebc54faf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudfoundry/uaa"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2015-5170-5173"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cloud Foundry Runtime has Weak Password Recovery Mechanism for Forgotten Password"
}

GHSA-CQMJ-26M2-WVGH

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the change password function of the web server

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7811"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-30T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the change password function of the web server",
  "id": "GHSA-cqmj-26m2-wvgh",
  "modified": "2022-05-13T01:53:59Z",
  "published": "2022-05-13T01:53:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7811"
    },
    {
      "type": "WEB",
      "url": "https://security.cse.iitk.ac.in/responsible-disclosure"
    },
    {
      "type": "WEB",
      "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-327-01"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2018-38"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CXH2-HXRP-WMGX

Vulnerability from github – Published: 2023-10-29 03:30 – Updated: 2023-10-29 03:30
VLAI
Details

Weak Password Recovery Mechanism for Forgotten Password in GitHub repository linkstackorg/linkstack prior to v4.2.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-29T01:15:41Z",
    "severity": "MODERATE"
  },
  "details": "Weak Password Recovery Mechanism for Forgotten Password in GitHub repository linkstackorg/linkstack prior to v4.2.9.",
  "id": "GHSA-cxh2-hxrp-wmgx",
  "modified": "2023-10-29T03:30:30Z",
  "published": "2023-10-29T03:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5840"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linkstackorg/linkstack/commit/fe7b99eae88f9e4c4cd4b00bab372cbf4b584b16"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/8042d8c3-650e-4c0d-9146-d9ccf6082b30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.