Common Weakness Enumeration

CWE-640

Allowed-with-Review

Weak Password Recovery Mechanism for Forgotten Password

Abstraction: Base · Status: Incomplete

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

393 vulnerabilities reference this CWE, most recent first.

GHSA-MMX4-RRQX-Q94X

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2025-04-20 03:38
VLAI
Details

register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to reset arbitrary passwords via a crafted POST request to registresult.htm.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-12T06:29:00Z",
    "severity": "HIGH"
  },
  "details": "register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to reset arbitrary passwords via a crafted POST request to registresult.htm.",
  "id": "GHSA-mmx4-rrqx-q94x",
  "modified": "2025-04-20T03:38:48Z",
  "published": "2022-05-13T01:11:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9543"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/42154"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MP8R-JGRR-9J4X

Vulnerability from github – Published: 2022-05-14 01:32 – Updated: 2022-05-14 01:32
VLAI
Details

OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-13T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors.",
  "id": "GHSA-mp8r-jgrr-9j4x",
  "modified": "2022-05-14T01:32:41Z",
  "published": "2022-05-14T01:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0696"
    },
    {
      "type": "WEB",
      "url": "https://www.cs.themistruct.com/report/wam20181012"
    },
    {
      "type": "WEB",
      "url": "https://www.osstech.co.jp/support/am2018-4-1-en"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN49995005/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQJC-WG38-CGVF

Vulnerability from github – Published: 2025-12-05 00:31 – Updated: 2025-12-05 00:31
VLAI
Details

The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-04T22:15:48Z",
    "severity": "HIGH"
  },
  "details": "The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account.",
  "id": "GHSA-mqjc-wg38-cgvf",
  "modified": "2025-12-05T00:31:05Z",
  "published": "2025-12-05T00:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53704"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-02.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-02"
    },
    {
      "type": "WEB",
      "url": "https://www.maxhub.com/en/support"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MR43-56J6-53P3

Vulnerability from github – Published: 2022-05-14 01:14 – Updated: 2022-05-14 01:14
VLAI
Details

The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_reset_pass() function through the admin-ajax.php file, which allows remote unauthenticated attackers to reset the password of a user's account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19488"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-21T16:00:00Z",
    "severity": "CRITICAL"
  },
  "details": "The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_reset_pass() function through the admin-ajax.php file, which allows remote unauthenticated attackers to reset the password of a user\u0027s account.",
  "id": "GHSA-mr43-56j6-53p3",
  "modified": "2022-05-14T01:14:27Z",
  "published": "2022-05-14T01:14:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19488"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Antho59/wp-jobhunt-exploit"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9206"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MWHF-6MJM-6W3H

Vulnerability from github – Published: 2024-02-21 00:31 – Updated: 2025-07-29 13:05
VLAI
Summary
Liferay Portal and Liferay DXP Does Not Obfuscate Password Reminder Answers
Details

In Liferay Impl before 5.18.4, Liferay Users Admin Web before 5.0.33, Liferay Login Web before 5.0.18, and Liferay Commerce Account Web before 3.0.7 from Liferay Portal (7.2.0 through 7.3.5), and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:portal-impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.18.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.users.admin.web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.login.web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.commerce:com.liferay.commerce.account.web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.2.10.fp17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.3.0"
            },
            {
              "fixed": "7.3.10.fp1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-29T13:05:27Z",
    "nvd_published_at": "2024-02-20T22:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In Liferay Impl before 5.18.4, Liferay Users Admin Web before 5.0.33, Liferay Login Web before 5.0.18, and Liferay Commerce Account Web before 3.0.7 from Liferay Portal (7.2.0 through 7.3.5), and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user\u0027s password reminder answers.",
  "id": "GHSA-mwhf-6mjm-6w3h",
  "modified": "2025-07-29T13:05:27Z",
  "published": "2024-02-21T00:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29038"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/5e2da784aeefce64107abd0411590db2b55faf0b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-29038"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Liferay Portal and Liferay DXP Does Not Obfuscate Password Reminder Answers"
}

GHSA-MWMH-7PX9-4C23

Vulnerability from github – Published: 2025-10-29 22:20 – Updated: 2025-11-05 22:13
VLAI
Summary
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
Details

Impact

A potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user.

If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account.

It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled.

Affected Versions

Systems running one of the following versions: - 4.x: 4.0.0 to 4.5.0 (including RC versions) - 3.x: 3.0.0 to 3.4.2 (including RC versions) - 2.x: v2.0.0 to 2.71.17

Patches

Patched version ensure proper validation of the headers:

4.x: Upgrade to >=4.6.0 3.x: Update to >=3.4.3 2.x: Update to >=2.71.18

Workarounds

The recommended solution is to update ZITADEL to a patched version.

A ZITADEL fronting proxy can be configured to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.71.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.80.0-v2.20.0.20251029090537-72a5c33e6ac3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T22:20:50Z",
    "nvd_published_at": "2025-10-29T19:15:38Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA potential vulnerability exists in ZITADEL\u0027s password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user.\n\nIf an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user\u0027s password and gain unauthorized access to their account.\n\nIt\u0027s important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled.\n\n### Affected Versions\n\nSystems running one of the following versions:\n- **4.x**: `4.0.0` to `4.5.0` (including RC versions)\n- **3.x**: `3.0.0` to `3.4.2` (including RC versions)\n- **2.x**: `v2.0.0` to `2.71.17`\n\n### Patches\n\nPatched version ensure proper validation of the headers:\n\n4.x: Upgrade to \u003e=[4.6.0](https://github.com/zitadel/zitadel/releases/tag/v4.6.0)\n3.x: Update to \u003e=[3.4.3](https://github.com/zitadel/zitadel/releases/tag/v3.4.3)\n2.x: Update to \u003e=[2.71.18](https://github.com/zitadel/zitadel/releases/tag/v2.71.18)\n\n### Workarounds\n\nThe recommended solution is to update ZITADEL to a patched version.\n\nA ZITADEL fronting proxy can be configured to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments.\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to Amit Laish \u2013 GE Vernova for finding and reporting the vulnerability.",
  "id": "GHSA-mwmh-7px9-4c23",
  "modified": "2025-11-05T22:13:14Z",
  "published": "2025-10-29T22:20:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mwmh-7px9-4c23"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64101"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/commit/72a5c33e6ac302b978d564bd049f9364f5a989b1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4084"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection"
}

GHSA-MX36-J5GV-JJ56

Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2024-04-03 23:53
VLAI
Details

ZPanel 10.0.1 has insufficient entropy for its password reset process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-5686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-04T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "ZPanel 10.0.1 has insufficient entropy for its password reset process.",
  "id": "GHSA-mx36-j5gv-jj56",
  "modified": "2024-04-03T23:53:19Z",
  "published": "2022-04-23T00:40:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5686"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79841"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/56400"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXCR-F478-CRP2

Vulnerability from github – Published: 2024-06-11 06:31 – Updated: 2026-04-08 21:32
VLAI
Details

The Build App Online plugin for WordPress is vulnerable to account takeover due to a weak password reset mechanism in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing an 4-digit numeric reset code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T04:15:11Z",
    "severity": "HIGH"
  },
  "details": "The Build App Online plugin for WordPress is vulnerable to account takeover due to a weak password reset mechanism in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing an 4-digit numeric reset code.",
  "id": "GHSA-mxcr-f478-crp2",
  "modified": "2026-04-08T21:32:45Z",
  "published": "2024-06-11T06:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7264"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3688"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3757"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3201569%40build-app-online\u0026new=3201569%40build-app-online\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6047ae6-b1b4-4b31-aa12-560927e1040b?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXQ8-MX56-69HW

Vulnerability from github – Published: 2022-05-14 03:08 – Updated: 2022-05-14 03:08
VLAI
Details

LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-14T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.",
  "id": "GHSA-mxq8-mx56-69hw",
  "modified": "2022-05-14T03:08:36Z",
  "published": "2022-05-14T03:08:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12421"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ltb-project/self-service-password/issues/209"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ltb-project/self-service-password/issues/211"
    },
    {
      "type": "WEB",
      "url": "https://lists.ltb-project.org/pipermail/ltb-announce/2018-June/000023.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXVF-FGG2-9QXJ

Vulnerability from github – Published: 2022-05-17 03:39 – Updated: 2022-05-17 03:39
VLAI
Details

The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not enforce password-length restrictions, which makes it easier for remote attackers to obtain access via a brute-force attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-09-26T04:59:00Z",
    "severity": "HIGH"
  },
  "details": "The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not enforce password-length restrictions, which makes it easier for remote attackers to obtain access via a brute-force attack.",
  "id": "GHSA-mxvf-fgg2-9qxj",
  "modified": "2022-05-17T03:39:56Z",
  "published": "2022-05-17T03:39:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5996"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21990216"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Mitigation
Architecture and Design

Do not use standard weak security questions and use several security questions.

Mitigation
Architecture and Design

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Mitigation
Architecture and Design

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Mitigation
Architecture and Design

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Mitigation
Architecture and Design

Assign a new temporary password rather than revealing the original password.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.