Total
152 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-14016 | 1 Naviwebs | 1 Navigate Cms | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password feature allows users to reset their passwords by using either their username or the email address associated with their account. However, the feature returns a not_found message when the provided username or email address does not match a user in the system. This can be used to enumerate users. | |||||
CVE-2020-25105 | 1 Eramba | 1 Eramba | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
eramba c2.8.1 and Enterprise before e2.19.3 has a weak password recovery token (createHash has only a million possibilities). | |||||
CVE-2020-5899 | 1 F5 | 1 Nginx Controller | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code. | |||||
CVE-2019-6560 | 1 Auto-maskin | 5 Dcu 210, Dcu 210 Firmware, Marine Pro Observer and 2 more | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
In Auto-Maskin RP210E Versions 3.7 and prior, DCU210E Versions 3.7 and prior and Marine Observer Pro (Android App), the software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. | |||||
CVE-2020-25728 | 1 Alfresco | 1 Reset Password | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
The Reset Password add-on before 1.2.0 for Alfresco has a broken algorithm (involving an increment) that allows a malicious user to change any user's account password include the admin account. | |||||
CVE-2009-5025 | 1 Pyforum Project | 1 Pyforum | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A backdoor (aka BMSA-2009-07) was found in PyForum v1.0.3 where an attacker who knows a valid user email could force a password reset on behalf of that user. | |||||
CVE-2019-15749 | 1 Sitos | 1 Sitos Six | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
SITOS six Build v6.2.1 allows a user to change their password and recovery email address without requiring them to confirm the change with their old password. This would allow an attacker with access to the victim's account (e.g., via XSS or an unattended workstation) to change that password and address. | |||||
CVE-2012-5618 | 1 Ushahidi | 1 Ushahidi | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
Ushahidi before 2.6.1 has insufficient entropy for forgot-password tokens. | |||||
CVE-2019-17392 | 1 Progress | 1 Sitefinity | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled. | |||||
CVE-2012-5686 | 1 Zpanelcp | 1 Zpanel | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
ZPanel 10.0.1 has insufficient entropy for its password reset process. | |||||
CVE-2019-15929 | 1 Craftcms | 1 Craft Cms | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them. | |||||
CVE-2019-19844 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) | |||||
CVE-2019-14955 | 1 Jetbrains | 1 Hub | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented. | |||||
CVE-2020-7245 | 1 Ctfd | 1 Ctfd | 2023-12-10 | 6.8 MEDIUM | 9.8 CRITICAL |
Incorrect username validation in the registration process of CTFd v2.0.0 - v2.2.2 allows an attacker to take over an arbitrary account if the username is known and emails are enabled on the CTFd instance. To exploit the vulnerability, one must register with a username identical to the victim's username, but with white space inserted before and/or after the username. This will register the account with the same username as the victim. After initiating a password reset for the new account, CTFd will reset the victim's account password due to the username collision. | |||||
CVE-2019-20004 | 1 Intelbras | 2 Iwr 3000n, Iwr 3000n Firmware | 2023-12-10 | 4.3 MEDIUM | 8.8 HIGH |
An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. When the administrator password is changed from a certain client IP address, administrative authorization remains available to any client at that IP address, leading to complete control of the router. | |||||
CVE-2019-18818 | 1 Strapi | 1 Strapi | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. | |||||
CVE-2018-16529 | 1 Forcepoint | 1 Email Security | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
A password reset vulnerability has been discovered in Forcepoint Email Security 8.5.x. The password reset URL can be used after the intended expiration period or after the URL has already been used to reset a password. | |||||
CVE-2019-12943 | 1 Ttlock | 1 Ttlock | 2023-12-10 | 2.6 LOW | 8.1 HIGH |
TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names. | |||||
CVE-2018-19488 | 1 Wp-jobhunt Project | 1 Wp-jobhunt | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_reset_pass() function through the admin-ajax.php file, which allows remote unauthenticated attackers to reset the password of a user's account. | |||||
CVE-2019-11393 | 1 Tildeslash | 1 Monit | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
An issue was discovered in /admin/users/update in M/Monit before 3.7.3. It allows unprivileged users to escalate their privileges to an administrator by requesting a password change and specifying the admin parameter. |