Total
156 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-23172 | 1 Priority-software | 1 Priority | 2022-07-14 | 4.3 Medium |
| An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not. | ||||
| CVE-2022-29174 | 1 Count | 1 Countly Server | 2022-05-30 | 8.1 High |
| countly-server is the server-side part of Countly, a product analytics solution. Prior to versions 22.03.7 and 21.11.4, a malicious actor who knows an account email address/username and full name specified in the database is capable of guessing the password reset token. The actor may use this information to reset the password and take over the account. The problem has been patched in Countly Server version 22.03.7 for servers using the new user interface and in 21.11.4 for servers using the old user interface. | ||||
| CVE-2022-29933 | 1 Craftcms | 1 Craft Cms | 2022-05-18 | 8.8 High |
| Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). | ||||
| CVE-2022-24892 | 1 Shopware | 1 Shopware | 2022-05-10 | 7.5 High |
| Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9. | ||||
| CVE-2018-16529 | 1 Forcepoint | 1 Email Security | 2022-04-22 | 9.8 Critical |
| A password reset vulnerability has been discovered in Forcepoint Email Security 8.5.x. The password reset URL can be used after the intended expiration period or after the URL has already been used to reset a password. | ||||
| CVE-2022-27157 | 1 Php | 1 Pearweb | 2022-04-22 | 9.8 Critical |
| pearweb < 1.32 is suffers from a Weak Password Recovery Mechanism via include/users/passwordmanage.php. | ||||
| CVE-2021-28293 | 1 Seceon | 1 Aisiem | 2022-04-19 | 9.8 Critical |
| Seceon aiSIEM before 6.3.2 (build 585) is prone to an unauthenticated account takeover vulnerability in the Forgot Password feature. The lack of correct configuration leads to recovery of the password reset link generated via the password reset functionality, and thus an unauthenticated attacker can set an arbitrary password for any user. | ||||
| CVE-2021-43498 | 1 Atutor | 1 Atutor | 2022-04-15 | 7.5 High |
| An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set. | ||||
| CVE-2022-1073 | 1 Automatic Question Paper Generator System Project | 1 Automatic Question Paper Generator System | 2022-04-04 | 9.8 Critical |
| A vulnerability was found in Automatic Question Paper Generator 1.0. It has been declared as critical. An attack leads to privilege escalation. The attack can be launched remotely. | ||||
| CVE-2022-0777 | 1 Microweber | 1 Microweber | 2022-03-09 | 7.5 High |
| Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3. | ||||
| CVE-2019-18818 | 1 Strapi | 1 Strapi | 2022-02-20 | 9.8 Critical |
| strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. | ||||
| CVE-2022-23619 | 1 Xwiki | 1 Xwiki | 2022-02-15 | 7.5 High |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advised yo update. There are no known workarounds for this issue. | ||||
| CVE-2021-27654 | 1 Pega | 1 Infinity | 2022-02-03 | 7.8 High |
| Forgotten password reset functionality for local accounts can be used to bypass local authentication checks. | ||||
| CVE-2021-22731 | 1 Schneider-electric | 32 Mcsesm043f23f0, Mcsesm043f23f0 Firmware, Mcsesm053f1cs0 and 29 more | 2022-02-01 | 9.8 Critical |
| Weak Password Recovery Mechanism for Forgotten Password vulnerability exists on Modicon Managed Switch MCSESM* and MCSESP* V8.21 and prior which could cause an unauthorized password change through HTTP / HTTPS when basic user information is known by a remote attacker. | ||||
| CVE-2022-22691 | 1 Umbraco | 1 Umbraco Cms | 2022-01-26 | 7.4 High |
| The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. A related vulnerability (CVE-2022-22690) could allow this flaw to become persistent so that all password reset URLs are affected persistently following a successful attack. See the AppCheck advisory for further information and associated caveats. | ||||
| CVE-2021-44839 | 1 Deltarm | 1 Delta Rm | 2022-01-25 | 6.5 Medium |
| An issue was discovered in Delta RM 1.2. It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses). | ||||
| CVE-2021-39919 | 1 Gitlab | 1 Gitlab | 2021-12-16 | 4.4 Medium |
| In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure. | ||||
| CVE-2021-44037 | 1 Teampasswordmanager | 1 Team Password Manager | 2021-11-22 | 7.5 High |
| Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning. | ||||
| CVE-2021-39899 | 1 Gitlab | 1 Gitlab | 2021-10-12 | 4.2 Medium |
| In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations. | ||||
| CVE-2021-25961 | 1 Salesagility | 1 Suitecrm | 2021-10-07 | 8.0 High |
| In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id. | ||||