CWE-640
Weak Password Recovery Mechanism for Forgotten Password
BaseIncompleteLikelihood: High
Description
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-50
CVEs mapped to this weakness (77)
page 3 of 4| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-42915 | Hig | 0.52 | 8.0 | 0.00 | Aug 23, 2024 | A host header injection vulnerability in Staff Appraisal System v1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This will allow attackers to arbitrarily reset other users' passwords and compromise their accounts. | |
| CVE-2025-53373 | Hig | 0.51 | — | 0.00 | Jul 7, 2025 | Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b. | |
| CVE-2023-53958 | Hig | 0.49 | 7.5 | 0.00 | Dec 19, 2025 | LDAP Tool Box Self Service Password 1.5.2 contains a password reset vulnerability that allows attackers to manipulate HTTP Host headers during token generation. Attackers can craft malicious password reset requests that generate tokens sent to a controlled server, enabling potential account takeover by intercepting and using stolen reset tokens. | |
| CVE-2025-53704 | Hig | 0.49 | 7.5 | 0.00 | Dec 4, 2025 | The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account. | |
| CVE-2024-33530 | Hig | 0.49 | 7.5 | 0.00 | May 2, 2024 | In Jitsi Meet before 9391, a logic flaw in password-protected Jitsi meetings (that make use of a lobby) leads to the disclosure of the meeting password when a user is invited to a call after waiting in the lobby. | |
| CVE-2017-7629 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2017 | QNAP QTS before 4.2.6 build 20170517 has a flaw in the change password function. | |
| CVE-2017-9543 | Hig | 0.49 | 7.5 | 0.00 | Jun 12, 2017 | register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to reset arbitrary passwords via a crafted POST request to registresult.htm. | |
| CVE-2017-7731 | Hig | 0.49 | 7.5 | 0.00 | May 27, 2017 | A weak password recovery vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows attacker to carry out information disclosure via the Forgotten Password feature. | |
| CVE-2016-8716 | Hig | 0.49 | 7.5 | 0.00 | Apr 12, 2017 | An exploitable Cleartext Transmission of Password vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. The Change Password functionality of the Web Application transmits the password in cleartext. An attacker capable of intercepting this traffic is able to obtain valid credentials. | |
| CVE-2016-2349 | Hig | 0.49 | 7.5 | 0.00 | Dec 21, 2016 | Remedy AR System Server in BMC Remedy 8.1 SP 2, 9.0, 9.0 SP 1, and 9.1 allows attackers to reset arbitrary passwords via a blank previous password. | |
| CVE-2016-5996 | Hig | 0.49 | 7.5 | 0.00 | Sep 26, 2016 | The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not enforce password-length restrictions, which makes it easier for remote attackers to obtain access via a brute-force attack. | |
| CVE-2026-40585 | Hig | 0.48 | 7.4 | 0.00 | Apr 21, 2026 | blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair — it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0. | |
| CVE-2017-8295 | Med | 0.48 | 5.9 | 0.77 | May 4, 2017 | WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message. | |
| CVE-2016-7038 | Hig | 0.47 | 7.3 | 0.00 | Jan 20, 2017 | In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. | |
| CVE-2026-30459 | Hig | 0.46 | 7.1 | 0.00 | Apr 16, 2026 | An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message. | |
| CVE-2026-28681 | Hig | 0.46 | 8.1 | 0.00 | Mar 6, 2026 | Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1. | |
| CVE-2025-61977 | Hig | 0.46 | 7.0 | 0.00 | Oct 23, 2025 | A weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery question. | |
| CVE-2017-5594 | Hig | 0.45 | 7.5 | 0.05 | Jan 25, 2017 | An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01. | |
| CVE-2016-5997 | Med | 0.42 | 6.5 | 0.00 | Sep 26, 2016 | The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not apply password-quality rules to password changes, which makes it easier for remote attackers to obtain access via a brute-force attack. | |
| CVE-2025-55030 | Med | 0.40 | 6.1 | 0.00 | Aug 19, 2025 | Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks. This vulnerability was fixed in Firefox for iOS 142. |