Total
121 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27157 | 1 Php | 1 Pearweb | 2022-04-22 | 7.5 HIGH | 9.8 CRITICAL |
| pearweb < 1.32 is suffers from a Weak Password Recovery Mechanism via include/users/passwordmanage.php. | |||||
| CVE-2021-28293 | 1 Seceon | 1 Aisiem | 2022-04-18 | 7.5 HIGH | 9.8 CRITICAL |
| Seceon aiSIEM before 6.3.2 (build 585) is prone to an unauthenticated account takeover vulnerability in the Forgot Password feature. The lack of correct configuration leads to recovery of the password reset link generated via the password reset functionality, and thus an unauthenticated attacker can set an arbitrary password for any user. | |||||
| CVE-2021-43498 | 1 Atutor | 1 Atutor | 2022-04-15 | 5.0 MEDIUM | 7.5 HIGH |
| An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set. | |||||
| CVE-2022-1073 | 1 Automatic Question Paper Generator System Project | 1 Automatic Question Paper Generator System | 2022-04-04 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in Automatic Question Paper Generator 1.0. It has been declared as critical. An attack leads to privilege escalation. The attack can be launched remotely. | |||||
| CVE-2022-0777 | 1 Microweber | 1 Microweber | 2022-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3. | |||||
| CVE-2019-18818 | 1 Strapi | 1 Strapi | 2022-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. | |||||
| CVE-2022-23619 | 1 Xwiki | 1 Xwiki | 2022-02-15 | 5.0 MEDIUM | 7.5 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advised yo update. There are no known workarounds for this issue. | |||||
| CVE-2021-27654 | 1 Pega | 1 Infinity | 2022-02-03 | 4.6 MEDIUM | 7.8 HIGH |
| Forgotten password reset functionality for local accounts can be used to bypass local authentication checks. | |||||
| CVE-2021-22731 | 1 Schneider-electric | 32 Mcsesm043f23f0, Mcsesm043f23f0 Firmware, Mcsesm053f1cs0 and 29 more | 2022-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| Weak Password Recovery Mechanism for Forgotten Password vulnerability exists on Modicon Managed Switch MCSESM* and MCSESP* V8.21 and prior which could cause an unauthorized password change through HTTP / HTTPS when basic user information is known by a remote attacker. | |||||
| CVE-2021-44839 | 1 Deltarm | 1 Delta Rm | 2022-01-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Delta RM 1.2. It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses). | |||||
| CVE-2021-39919 | 1 Gitlab | 1 Gitlab | 2021-12-15 | 2.1 LOW | 4.4 MEDIUM |
| In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure. | |||||
| CVE-2021-41694 | 1 Globaldatingsoftware | 1 Premiumdatingscript | 2021-12-14 | 5.0 MEDIUM | 9.8 CRITICAL |
| An Incorrect Access Control vulnerability exists in Premiumdatingscript 4.2.7.7 via the password change procedure in requests\user.php. | |||||
| CVE-2021-44037 | 1 Teampasswordmanager | 1 Team Password Manager | 2021-11-22 | 5.0 MEDIUM | 7.5 HIGH |
| Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning. | |||||
| CVE-2021-39899 | 1 Gitlab | 1 Gitlab | 2021-10-12 | 1.9 LOW | 4.2 MEDIUM |
| In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations. | |||||
| CVE-2021-25961 | 1 Salesagility | 1 Suitecrm | 2021-10-07 | 6.0 MEDIUM | 8.0 HIGH |
| In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id. | |||||
| CVE-2021-36095 | 1 Otrs | 1 Otrs | 2021-09-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | |||||
| CVE-2021-37693 | 1 Discourse | 1 Discourse | 2021-08-30 | 5.0 MEDIUM | 7.5 HIGH |
| Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password. | |||||
| CVE-2015-5172 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2021-08-25 | 7.5 HIGH | 9.8 CRITICAL |
| Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. | |||||
| CVE-2015-3189 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2021-08-25 | 4.3 MEDIUM | 3.7 LOW |
| With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. | |||||
| CVE-2021-25957 | 1 Dolibarr | 1 Dolibarr | 2021-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password. | |||||