Total
121 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12476 | 2 Microsoft, Zohocorp | 2 Windows, Manageengine Adselfservice Plus | 2020-08-24 | 7.2 HIGH | 6.8 MEDIUM |
| An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input. | |||||
| CVE-2020-14016 | 1 Naviwebs | 1 Navigate Cms | 2020-06-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password feature allows users to reset their passwords by using either their username or the email address associated with their account. However, the feature returns a not_found message when the provided username or email address does not match a user in the system. This can be used to enumerate users. | |||||
| CVE-2020-14015 | 1 Naviwebs | 1 Navigate Cms | 2020-06-29 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Navigate CMS 2.9 r1433. When performing a password reset, a user is emailed an activation code that allows them to reset their password. There is, however, a flaw when no activation code is supplied. The system will allow an unauthorized user to continue setting a password, even though no activation code was supplied, setting the password for the most recently created user in the system (the user with the highest user id). | |||||
| CVE-2019-6560 | 1 Auto-maskin | 5 Dcu 210, Dcu 210 Firmware, Marine Pro Observer and 2 more | 2020-03-25 | 6.4 MEDIUM | 9.1 CRITICAL |
| In Auto-Maskin RP210E Versions 3.7 and prior, DCU210E Versions 3.7 and prior and Marine Observer Pro (Android App), the software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. | |||||
| CVE-2012-5618 | 1 Ushahidi | 1 Ushahidi | 2020-02-12 | 5.0 MEDIUM | 9.8 CRITICAL |
| Ushahidi before 2.6.1 has insufficient entropy for forgot-password tokens. | |||||
| CVE-2019-3787 | 1 Pivotal Software | 1 Cloud Foundry Uaa-release | 2020-02-10 | 4.3 MEDIUM | 8.8 HIGH |
| Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user's account. | |||||
| CVE-2012-5686 | 1 Zpanelcp | 1 Zpanel | 2020-02-06 | 7.5 HIGH | 9.8 CRITICAL |
| ZPanel 10.0.1 has insufficient entropy for its password reset process. | |||||
| CVE-2020-7245 | 1 Ctfd | 1 Ctfd | 2020-01-31 | 6.8 MEDIUM | 9.8 CRITICAL |
| Incorrect username validation in the registration process of CTFd v2.0.0 - v2.2.2 allows an attacker to take over an arbitrary account if the username is known and emails are enabled on the CTFd instance. To exploit the vulnerability, one must register with a username identical to the victim's username, but with white space inserted before and/or after the username. This will register the account with the same username as the victim. After initiating a password reset for the new account, CTFd will reset the victim's account password due to the username collision. | |||||
| CVE-2009-5025 | 1 Pyforum Project | 1 Pyforum | 2020-01-23 | 5.0 MEDIUM | 7.5 HIGH |
| A backdoor (aka BMSA-2009-07) was found in PyForum v1.0.3 where an attacker who knows a valid user email could force a password reset on behalf of that user. | |||||
| CVE-2019-20004 | 1 Intelbras | 2 Iwr 3000n, Iwr 3000n Firmware | 2020-01-14 | 4.3 MEDIUM | 8.8 HIGH |
| An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. When the administrator password is changed from a certain client IP address, administrative authorization remains available to any client at that IP address, leading to complete control of the router. | |||||
| CVE-2019-19844 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2020-01-07 | 5.0 MEDIUM | 9.8 CRITICAL |
| Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) | |||||
| CVE-2018-16988 | 1 Xdmod | 1 Open Xdmod | 2020-01-02 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the victim has started a password-reset process (pass_reset.php, password_reset.php, XDUser.php) in the past few minutes. | |||||
| CVE-2019-17392 | 1 Progress | 1 Sitefinity | 2019-12-14 | 7.5 HIGH | 9.8 CRITICAL |
| Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled. | |||||
| CVE-2019-15929 | 1 Craftcms | 1 Craft Cms | 2019-10-30 | 5.0 MEDIUM | 9.8 CRITICAL |
| In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them. | |||||
| CVE-2018-8916 | 1 Synology | 1 Diskstation Manager | 2019-10-09 | 4.0 MEDIUM | 8.8 HIGH |
| Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification. | |||||
| CVE-2017-2614 | 1 Redhat | 1 Enterprise Virtualization | 2019-10-09 | 2.1 LOW | 6.3 MEDIUM |
| When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts. | |||||
| CVE-2017-14005 | 1 Prominent | 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| An Unverified Password Change issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When setting a new password for a user, the application does not require the user to know the original password. An attacker who is authenticated could change a user's password, enabling future access and possible configuration changes. | |||||
| CVE-2017-12161 | 1 Keycloak | 1 Keycloak | 2019-10-09 | 4.3 MEDIUM | 8.8 HIGH |
| It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks. | |||||
| CVE-2019-15749 | 1 Sitos | 1 Sitos Six | 2019-10-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| SITOS six Build v6.2.1 allows a user to change their password and recovery email address without requiring them to confirm the change with their old password. This would allow an attacker with access to the victim's account (e.g., via XSS or an unattended workstation) to change that password and address. | |||||
| CVE-2019-14955 | 1 Jetbrains | 1 Hub | 2019-10-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented. | |||||