Total
152 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-36095 | 1 Otrs | 1 Otrs | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | |||||
CVE-2021-36804 | 1 Akaunting | 1 Akaunting | 2023-12-10 | 5.8 MEDIUM | 8.1 HIGH |
Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications. | |||||
CVE-2021-33321 | 1 Liferay | 2 Dxp, Liferay Portal | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true. | |||||
CVE-2021-37541 | 1 Jetbrains | 1 Hub | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible. | |||||
CVE-2021-28128 | 1 Strapi | 1 Strapi | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password. | |||||
CVE-2021-37693 | 1 Discourse | 1 Discourse | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password. | |||||
CVE-2021-36708 | 1 Prolink | 2 Prc2402m, Prc2402m Firmware | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router. | |||||
CVE-2021-31912 | 1 Jetbrains | 1 Teamcity | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset. | |||||
CVE-2021-28293 | 1 Seceon | 1 Aisiem | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Seceon aiSIEM before 6.3.2 (build 585) is prone to an unauthenticated account takeover vulnerability in the Forgot Password feature. The lack of correct configuration leads to recovery of the password reset link generated via the password reset functionality, and thus an unauthenticated attacker can set an arbitrary password for any user. | |||||
CVE-2021-36209 | 1 Jetbrains | 1 Hub | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset. | |||||
CVE-2021-22731 | 1 Schneider-electric | 32 Mcsesm043f23f0, Mcsesm043f23f0 Firmware, Mcsesm053f1cs0 and 29 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Weak Password Recovery Mechanism for Forgotten Password vulnerability exists on Modicon Managed Switch MCSESM* and MCSESP* V8.21 and prior which could cause an unauthorized password change through HTTP / HTTPS when basic user information is known by a remote attacker. | |||||
CVE-2021-22763 | 1 Schneider-electric | 10 Powerlogic Pm5560, Powerlogic Pm5560 Firmware, Powerlogic Pm5561 and 7 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could allow an attacker administrator level access to a device. | |||||
CVE-2021-25323 | 1 Misp | 1 Misp | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. | |||||
CVE-2020-15949 | 1 Immuta | 1 Immuta | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Immuta v2.8.2 is affected by one instance of insecure permissions that can lead to user account takeover. | |||||
CVE-2020-26061 | 1 Clickstudios | 1 Passwordstate | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successfully authenticated using security questions. An unauthenticated, remote attacker can send a crafted HTTP request to the /account/ResetPassword page to set a new password for any registered user. | |||||
CVE-2020-28186 | 1 Terra-master | 1 Tos | 2023-12-10 | 6.8 MEDIUM | 7.3 HIGH |
Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. | |||||
CVE-2020-5361 | 1 Dell | 1 Cpg Bios | 2023-12-10 | 7.2 HIGH | 7.6 HIGH |
Select Dell Client Commercial and Consumer platforms support a BIOS password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of unauthorized password generation tools that can generate BIOS recovery passwords. The tools, which are not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed Hard Disk Drive (HDD) passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access and BIOS pre-boot authentication. | |||||
CVE-2021-29080 | 1 Netgear | 32 Cbr40, Cbr40 Firmware, R6900p and 29 more | 2023-12-10 | 4.8 MEDIUM | 8.1 HIGH |
Certain NETGEAR devices are affected by password reset by an unauthenticated attacker. This affects RBK852 before 3.2.10.11, RBK853 before 3.2.10.11, RBR854 before 3.2.10.11, RBR850 before 3.2.10.11, RBS850 before 3.2.10.11, CBR40 before 2.5.0.10, R7000 before 1.0.11.116, R6900P before 1.3.2.126, R7900 before 1.0.4.38, R7960P before 1.4.1.66, R8000 before 1.0.4.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX75 before 1.0.3.102, RAX80 before 1.0.3.102, and R7000P before 1.3.2.126. | |||||
CVE-2020-27179 | 1 Konzept-ix | 1 Publixone | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
konzept-ix publiXone before 2020.015 allows attackers to take over arbitrary user accounts by crafting password-reset tokens. | |||||
CVE-2020-14015 | 1 Naviwebs | 1 Navigate Cms | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Navigate CMS 2.9 r1433. When performing a password reset, a user is emailed an activation code that allows them to reset their password. There is, however, a flaw when no activation code is supplied. The system will allow an unauthorized user to continue setting a password, even though no activation code was supplied, setting the password for the most recently created user in the system (the user with the highest user id). |