Vulnerabilities (CVE)

Filtered by CWE-640
Total 192 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-26872 1 Ami 1 Megarac Sp-x 2024-11-21 N/A 8.3 HIGH
AMI Megarac Password reset interception via API
CVE-2022-24892 1 Shopware 1 Shopware 2024-11-21 6.8 MEDIUM 6.4 MEDIUM
Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.
CVE-2022-23855 1 Saviynt 1 Enterprise Identity Cloud 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x. An authentication bypass in ECM/maintenance/forgotpasswordstep1 allows an unauthenticated user to reset passwords and login as any local account.
CVE-2022-23619 1 Xwiki 1 Xwiki 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advised yo update. There are no known workarounds for this issue.
CVE-2022-23172 1 Priority-software 1 Priority 2024-11-21 4.0 MEDIUM 5.5 MEDIUM
An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not.
CVE-2022-1073 1 Automatic Question Paper Generator System Project 1 Automatic Question Paper Generator System 2024-11-21 7.5 HIGH 7.3 HIGH
A vulnerability was found in Automatic Question Paper Generator 1.0. It has been declared as critical. An attack leads to privilege escalation. The attack can be launched remotely.
CVE-2022-0777 1 Microweber 1 Microweber 2024-11-21 5.0 MEDIUM 7.5 HIGH
Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3.
CVE-2021-44839 1 Deltarm 1 Delta Rm 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
An issue was discovered in Delta RM 1.2. It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses).
CVE-2021-44037 1 Teampasswordmanager 1 Team Password Manager 2024-11-21 5.0 MEDIUM 7.5 HIGH
Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning.
CVE-2021-43498 1 Atutor 1 Atutor 2024-11-21 5.0 MEDIUM 7.5 HIGH
An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set.
CVE-2021-39919 1 Gitlab 1 Gitlab 2024-11-21 2.1 LOW 4.4 MEDIUM
In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.
CVE-2021-39899 1 Gitlab 1 Gitlab 2024-11-21 1.9 LOW 2.9 LOW
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.
CVE-2021-37693 1 Discourse 1 Discourse 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.
CVE-2021-37541 1 Jetbrains 1 Hub 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible.
CVE-2021-36804 1 Akaunting 1 Akaunting 2024-11-21 5.8 MEDIUM 5.4 MEDIUM
Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.
CVE-2021-36708 1 Prolink 2 Prc2402m, Prc2402m Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router.
CVE-2021-36209 1 Jetbrains 1 Hub 2024-11-21 7.5 HIGH 9.8 CRITICAL
In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.
CVE-2021-36095 1 Otrs 1 Otrs 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.
CVE-2021-33321 1 Liferay 2 Dxp, Liferay Portal 2024-11-21 5.0 MEDIUM 7.5 HIGH
Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.
CVE-2021-31912 1 Jetbrains 1 Teamcity 2024-11-21 6.8 MEDIUM 8.8 HIGH
In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset.