CWE-640
Weak Password Recovery Mechanism for Forgotten Password
Description
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-50
CVEs mapped to this weakness (136)
page 4 of 7| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-8716 | Hig | 0.49 | 7.5 | 0.01 | Apr 12, 2017 | An exploitable Cleartext Transmission of Password vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. The Change Password functionality of the Web Application transmits the password in cleartext. An attacker… | ||
| CVE-2016-2349 | Hig | 0.49 | 7.5 | 0.01 | Dec 21, 2016 | Remedy AR System Server in BMC Remedy 8.1 SP 2, 9.0, 9.0 SP 1, and 9.1 allows attackers to reset arbitrary passwords via a blank previous password. | ||
| CVE-2016-5996 | Hig | 0.49 | 7.5 | 0.01 | Sep 26, 2016 | The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not enforce password-length… | ||
| CVE-2016-7038 | Hig | 0.48 | 7.3 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. | ||
| CVE-2026-35676 | Hig | 0.46 | 8.2 | 0.00 | May 28, 2026 | phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password… | ||
| CVE-2026-35675 | Hig | 0.46 | 8.2 | 0.00 | May 28, 2026 | phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain… | ||
| CVE-2026-42606 | Hig | 0.46 | 8.1 | 0.00 | May 9, 2026 | AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password… | ||
| CVE-2026-29199 | Hig | 0.46 | 8.1 | 0.00 | May 4, 2026 | phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who… | ||
| CVE-2026-30459 | Hig | 0.46 | 7.1 | 0.00 | Apr 16, 2026 | An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message. | ||
| CVE-2026-28681 | Hig | 0.46 | 8.1 | 0.00 | Mar 6, 2026 | Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or… | ||
| CVE-2025-61977 | Hig | 0.46 | 7.0 | 0.00 | Oct 23, 2025 | A weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery question. | ||
| CVE-2024-6125 | Hig | 0.46 | 8.1 | 0.00 | Jun 19, 2024 | The Login with phone number plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.7.34. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. This makes it… | ||
| CVE-2023-4214 | Hig | 0.46 | 8.1 | 0.01 | Nov 18, 2023 | The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. | ||
| CVE-2014-6412 | Hig | 0.46 | 8.1 | 0.05 | Apr 12, 2018 | WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. | ||
| CVE-2017-5594 | Hig | 0.45 | 7.5 | 0.07 | Jan 25, 2017 | An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01. | ||
| CVE-2017-2614 | — | Med | 0.44 | 6.8 | 0.00 | Jul 27, 2018 | When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining… | |
| CVE-2026-7459 | Hig | 0.42 | 7.5 | 0.01 | May 30, 2026 | The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints… | ||
| CVE-2024-12604 | Med | 0.42 | 6.5 | 0.00 | Mar 10, 2025 | Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse. This issue affects Tap&Sign App:… | ||
| CVE-2017-1000141 | Med | 0.42 | 6.5 | 0.01 | Jan 30, 2018 | An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain their own account (changing username, changing primary email address, deleting account). The correct behavior was to either prompt them for their… | ||
| CVE-2016-5997 | Med | 0.42 | 6.5 | 0.01 | Sep 26, 2016 | The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not apply password-quality… |
- risk 0.49cvss 7.5epss 0.01
An exploitable Cleartext Transmission of Password vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. The Change Password functionality of the Web Application transmits the password in cleartext. An attacker…
- risk 0.49cvss 7.5epss 0.01
Remedy AR System Server in BMC Remedy 8.1 SP 2, 9.0, 9.0 SP 1, and 9.1 allows attackers to reset arbitrary passwords via a blank previous password.
- risk 0.49cvss 7.5epss 0.01
The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not enforce password-length…
- risk 0.48cvss 7.3epss 0.01
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
- risk 0.46cvss 8.2epss 0.00
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password…
- risk 0.46cvss 8.2epss 0.00
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain…
- risk 0.46cvss 8.1epss 0.00
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password…
- risk 0.46cvss 8.1epss 0.00
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who…
- risk 0.46cvss 7.1epss 0.00
An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.
- risk 0.46cvss 8.1epss 0.00
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or…
- risk 0.46cvss 7.0epss 0.00
A weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery question.
- risk 0.46cvss 8.1epss 0.00
The Login with phone number plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.7.34. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. This makes it…
- risk 0.46cvss 8.1epss 0.01
The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit.
- risk 0.46cvss 8.1epss 0.05
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
- risk 0.45cvss 7.5epss 0.07
An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01.
- risk 0.44cvss 6.8epss 0.00
When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining…
- risk 0.42cvss 7.5epss 0.01
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints…
- risk 0.42cvss 6.5epss 0.00
Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse. This issue affects Tap&Sign App:…
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain their own account (changing username, changing primary email address, deleting account). The correct behavior was to either prompt them for their…
- risk 0.42cvss 6.5epss 0.01
The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not apply password-quality…