Total
121 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36804 | 1 Akaunting | 1 Akaunting | 2021-08-13 | 5.8 MEDIUM | 8.1 HIGH |
| Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications. | |||||
| CVE-2021-36708 | 1 Prolink | 2 Prc2402m, Prc2402m Firmware | 2021-08-12 | 5.0 MEDIUM | 7.5 HIGH |
| In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router. | |||||
| CVE-2021-37541 | 1 Jetbrains | 1 Hub | 2021-08-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible. | |||||
| CVE-2021-36209 | 1 Jetbrains | 1 Hub | 2021-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset. | |||||
| CVE-2021-33321 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-08-11 | 5.0 MEDIUM | 7.5 HIGH |
| Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true. | |||||
| CVE-2020-27408 | 1 Os4ed | 1 Opensis | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users. | |||||
| CVE-2021-22763 | 1 Schneider-electric | 10 Powerlogic Pm5560, Powerlogic Pm5560 Firmware, Powerlogic Pm5561 and 7 more | 2021-06-23 | 10.0 HIGH | 9.8 CRITICAL |
| A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could allow an attacker administrator level access to a device. | |||||
| CVE-2021-31912 | 1 Jetbrains | 1 Teamcity | 2021-05-17 | 6.8 MEDIUM | 8.8 HIGH |
| In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset. | |||||
| CVE-2021-28128 | 1 Strapi | 1 Strapi | 2021-05-14 | 5.5 MEDIUM | 8.1 HIGH |
| In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password. | |||||
| CVE-2017-9543 | 1 Echatserver | 1 Easy Chat Server | 2021-03-26 | 5.0 MEDIUM | 7.5 HIGH |
| register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to reset arbitrary passwords via a crafted POST request to registresult.htm. | |||||
| CVE-2021-29080 | 1 Netgear | 32 Cbr40, Cbr40 Firmware, R6900p and 29 more | 2021-03-24 | 4.8 MEDIUM | 8.1 HIGH |
| Certain NETGEAR devices are affected by password reset by an unauthenticated attacker. This affects RBK852 before 3.2.10.11, RBK853 before 3.2.10.11, RBR854 before 3.2.10.11, RBR850 before 3.2.10.11, RBS850 before 3.2.10.11, CBR40 before 2.5.0.10, R7000 before 1.0.11.116, R6900P before 1.3.2.126, R7900 before 1.0.4.38, R7960P before 1.4.1.66, R8000 before 1.0.4.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX75 before 1.0.3.102, RAX80 before 1.0.3.102, and R7000P before 1.3.2.126. | |||||
| CVE-2020-5361 | 1 Dell | 1 Cpg Bios | 2021-01-29 | 7.2 HIGH | 7.6 HIGH |
| Select Dell Client Commercial and Consumer platforms support a BIOS password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of unauthorized password generation tools that can generate BIOS recovery passwords. The tools, which are not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed Hard Disk Drive (HDD) passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access and BIOS pre-boot authentication. | |||||
| CVE-2021-25323 | 1 Misp | 1 Misp | 2021-01-22 | 6.4 MEDIUM | 9.1 CRITICAL |
| The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. | |||||
| CVE-2017-5594 | 1 Pagekit | 1 Pagekit | 2021-01-08 | 4.3 MEDIUM | 7.5 HIGH |
| An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01. | |||||
| CVE-2020-28186 | 1 Terra-master | 1 Tos | 2020-12-28 | 6.8 MEDIUM | 7.3 HIGH |
| Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. | |||||
| CVE-2016-7038 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | 7.3 HIGH |
| In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. | |||||
| CVE-2020-27179 | 1 Konzept-ix | 1 Publixone | 2020-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| konzept-ix publiXone before 2020.015 allows attackers to take over arbitrary user accounts by crafting password-reset tokens. | |||||
| CVE-2020-25728 | 1 Alfresco | 1 Reset Password | 2020-09-25 | 6.5 MEDIUM | 8.8 HIGH |
| The Reset Password add-on before 1.2.0 for Alfresco has a broken algorithm (involving an increment) that allows a malicious user to change any user's account password include the admin account. | |||||
| CVE-2020-25105 | 1 Eramba | 1 Eramba | 2020-09-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| eramba c2.8.1 and Enterprise before e2.19.3 has a weak password recovery token (createHash has only a million possibilities). | |||||
| CVE-2019-12476 | 2 Microsoft, Zohocorp | 2 Windows, Manageengine Adselfservice Plus | 2020-08-24 | 7.2 HIGH | 6.8 MEDIUM |
| An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input. | |||||