Total
156 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-36095 | 1 Otrs | 1 Otrs | 2021-09-09 | 5.3 Medium |
| Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | ||||
| CVE-2021-37693 | 1 Discourse | 1 Discourse | 2021-08-30 | 7.5 High |
| Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password. | ||||
| CVE-2015-5172 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2021-08-25 | 9.8 Critical |
| Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. | ||||
| CVE-2015-3189 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2021-08-25 | 3.7 Low |
| With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. | ||||
| CVE-2021-25957 | 1 Dolibarr | 1 Dolibarr | 2021-08-24 | 8.8 High |
| In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password. | ||||
| CVE-2021-36804 | 1 Akaunting | 1 Akaunting | 2021-08-13 | 8.1 High |
| Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications. | ||||
| CVE-2021-36708 | 1 Prolink | 2 Prc2402m, Prc2402m Firmware | 2021-08-12 | 7.5 High |
| In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router. | ||||
| CVE-2021-37541 | 1 Jetbrains | 1 Hub | 2021-08-12 | 6.1 Medium |
| In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible. | ||||
| CVE-2021-36209 | 1 Jetbrains | 1 Hub | 2021-08-12 | 9.8 Critical |
| In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset. | ||||
| CVE-2021-33321 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-08-11 | 7.5 High |
| Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true. | ||||
| CVE-2020-27408 | 1 Os4ed | 1 Opensis | 2021-07-21 | 7.5 High |
| OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users. | ||||
| CVE-2021-31912 | 1 Jetbrains | 1 Teamcity | 2021-05-17 | 8.8 High |
| In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset. | ||||
| CVE-2021-28128 | 1 Strapi | 1 Strapi | 2021-05-14 | 8.1 High |
| In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password. | ||||
| CVE-2017-9543 | 1 Echatserver | 1 Easy Chat Server | 2021-03-26 | 7.5 High |
| register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to reset arbitrary passwords via a crafted POST request to registresult.htm. | ||||
| CVE-2021-29080 | 1 Netgear | 32 Cbr40, Cbr40 Firmware, R6900p and 29 more | 2021-03-24 | 8.1 High |
| Certain NETGEAR devices are affected by password reset by an unauthenticated attacker. This affects RBK852 before 3.2.10.11, RBK853 before 3.2.10.11, RBR854 before 3.2.10.11, RBR850 before 3.2.10.11, RBS850 before 3.2.10.11, CBR40 before 2.5.0.10, R7000 before 1.0.11.116, R6900P before 1.3.2.126, R7900 before 1.0.4.38, R7960P before 1.4.1.66, R8000 before 1.0.4.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX75 before 1.0.3.102, RAX80 before 1.0.3.102, and R7000P before 1.3.2.126. | ||||
| CVE-2020-5361 | 1 Dell | 1 Cpg Bios | 2021-01-29 | 7.6 High |
| Select Dell Client Commercial and Consumer platforms support a BIOS password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of unauthorized password generation tools that can generate BIOS recovery passwords. The tools, which are not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed Hard Disk Drive (HDD) passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access and BIOS pre-boot authentication. | ||||
| CVE-2021-25323 | 1 Misp | 1 Misp | 2021-01-22 | 9.1 Critical |
| The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. | ||||
| CVE-2017-5594 | 1 Pagekit | 1 Pagekit | 2021-01-08 | 7.5 High |
| An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01. | ||||
| CVE-2020-28186 | 1 Terra-master | 1 Tos | 2020-12-28 | 7.3 High |
| Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. | ||||
| CVE-2016-7038 | 1 Moodle | 1 Moodle | 2020-12-01 | N/A |
| In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. | ||||