CWE-640
Weak Password Recovery Mechanism for Forgotten Password
Description
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-50
CVEs mapped to this weakness (136)
page 1 of 7| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17097 | Cri | 0.67 | 9.8 | 0.07 | Jan 2, 2018 | gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to… | ||
| CVE-2017-7615 | Hig | 0.67 | 8.8 | 0.91 | Apr 16, 2017 | MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php. | ||
| CVE-2025-4320 | Cri | 0.65 | 10.0 | 0.00 | Jan 23, 2026 | Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Authentication Bypass, Password Recovery Exploitation. This issue affects Sufirmam: through… | ||
| CVE-2025-12866 | Cri | 0.64 | 9.8 | 0.00 | Nov 10, 2025 | EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, thereby successfully resetting any user's password. | ||
| CVE-2025-10127 | Cri | 0.64 | 9.8 | 0.01 | Sep 11, 2025 | Daikin Europe N.V Security Gateway is vulnerable to an authorization bypass through a user-controlled key vulnerability that could allow an attacker to bypass authentication. An unauthorized attacker could access the system without prior credentials. | ||
| CVE-2025-32486 | — | Cri | 0.64 | 9.8 | 0.00 | Sep 9, 2025 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Hossein Material Dashboard material-dashboard.This issue affects Material Dashboard: from n/a through <= 1.4.6. | |
| CVE-2025-50594 | Cri | 0.64 | 9.8 | 0.00 | Aug 13, 2025 | An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account password. | ||
| CVE-2025-43932 | Cri | 0.64 | 9.8 | 0.00 | Jul 7, 2025 | JobCenter through 7e7b0b2 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | ||
| CVE-2025-43931 | Cri | 0.64 | 9.8 | 0.00 | Jul 7, 2025 | flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | ||
| CVE-2025-47646 | Cri | 0.64 | 9.8 | 0.22 | May 23, 2025 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration psw-login-and-registration allows Password Recovery Exploitation.This issue affects PSW Front-end Login & Registration: from n/a through <= 1.13. | ||
| CVE-2025-31380 | Cri | 0.64 | 9.8 | 0.00 | Apr 17, 2025 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Password Recovery Exploitation.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.3.11. | ||
| CVE-2024-5404 | — | Cri | 0.64 | 9.8 | 0.01 | Jun 3, 2024 | An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism. | |
| CVE-2021-22763 | Cri | 0.64 | 9.8 | 0.02 | Jun 11, 2021 | A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could allow an attacker administrator level access to… | ||
| CVE-2018-16988 | Cri | 0.64 | 9.8 | 0.02 | May 2, 2019 | An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the… | ||
| CVE-2018-17881 | Cri | 0.64 | 9.8 | 0.01 | Oct 3, 2018 | On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 SetPasswdSettings commands without authentication to trigger an admin password change. | ||
| CVE-2018-17298 | Cri | 0.64 | 9.8 | 0.02 | Sep 21, 2018 | An issue was discovered in Enalean Tuleap before 10.5. Reset password links are not invalidated after a user changes its password. | ||
| CVE-2018-1000554 | Cri | 0.64 | 9.8 | 0.01 | Jun 26, 2018 | Trovebox version <= 4.0.0-rc6 contains a Unsafe password reset token generation vulnerability in user component that can result in Password reset. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed. | ||
| CVE-2018-12421 | Cri | 0.64 | 9.8 | 0.03 | Jun 14, 2018 | LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string. | ||
| CVE-2018-10081 | Cri | 0.64 | 9.8 | 0.02 | Apr 13, 2018 | CMS Made Simple (CMSMS) through 2.2.6 contains an admin password reset vulnerability because data values are improperly compared, as demonstrated by a hash beginning with the "0e" substring. | ||
| CVE-2015-4689 | Cri | 0.64 | 9.8 | 0.02 | Sep 11, 2017 | Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allows remote attackers to reset arbitrary passwords via unspecified vectors, aka "Weak Password Reset." |
- risk 0.67cvss 9.8epss 0.07
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to…
- risk 0.67cvss 8.8epss 0.91
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
- risk 0.65cvss 10.0epss 0.00
Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Authentication Bypass, Password Recovery Exploitation. This issue affects Sufirmam: through…
- risk 0.64cvss 9.8epss 0.00
EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, thereby successfully resetting any user's password.
- risk 0.64cvss 9.8epss 0.01
Daikin Europe N.V Security Gateway is vulnerable to an authorization bypass through a user-controlled key vulnerability that could allow an attacker to bypass authentication. An unauthorized attacker could access the system without prior credentials.
- risk 0.64cvss 9.8epss 0.00
Weak Password Recovery Mechanism for Forgotten Password vulnerability in Hossein Material Dashboard material-dashboard.This issue affects Material Dashboard: from n/a through <= 1.4.6.
- risk 0.64cvss 9.8epss 0.00
An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account password.
- risk 0.64cvss 9.8epss 0.00
JobCenter through 7e7b0b2 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.
- risk 0.64cvss 9.8epss 0.00
flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.
- risk 0.64cvss 9.8epss 0.22
Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration psw-login-and-registration allows Password Recovery Exploitation.This issue affects PSW Front-end Login & Registration: from n/a through <= 1.13.
- risk 0.64cvss 9.8epss 0.00
Weak Password Recovery Mechanism for Forgotten Password vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Password Recovery Exploitation.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.3.11.
- risk 0.64cvss 9.8epss 0.01
An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.
- risk 0.64cvss 9.8epss 0.02
A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could allow an attacker administrator level access to…
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the…
- risk 0.64cvss 9.8epss 0.01
On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 SetPasswdSettings commands without authentication to trigger an admin password change.
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in Enalean Tuleap before 10.5. Reset password links are not invalidated after a user changes its password.
- risk 0.64cvss 9.8epss 0.01
Trovebox version <= 4.0.0-rc6 contains a Unsafe password reset token generation vulnerability in user component that can result in Password reset. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed.
- risk 0.64cvss 9.8epss 0.03
LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.
- risk 0.64cvss 9.8epss 0.02
CMS Made Simple (CMSMS) through 2.2.6 contains an admin password reset vulnerability because data values are improperly compared, as demonstrated by a hash beginning with the "0e" substring.
- risk 0.64cvss 9.8epss 0.02
Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allows remote attackers to reset arbitrary passwords via unspecified vectors, aka "Weak Password Reset."