Total
165 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-5594 | 1 Pagekit | 1 Pagekit | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01. | |||||
CVE-2017-2766 | 1 Emc | 1 Documentum Eroom | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
EMC Documentum eRoom version 7.4.4, EMC Documentum eRoom version 7.4.4 SP1, EMC Documentum eRoom version prior to 7.4.5 P04, EMC Documentum eRoom version prior to 7.5.0 P01 includes an unverified password change vulnerability that could potentially be exploited by malicious users to compromise the affected system. | |||||
CVE-2017-2614 | 1 Redhat | 1 Enterprise Virtualization | 2024-11-21 | 2.1 LOW | 6.8 MEDIUM |
When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts. | |||||
CVE-2017-17097 | 1 Gps-server | 1 Gps Tracking Software | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php. | |||||
CVE-2017-14005 | 1 Prominent | 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
An Unverified Password Change issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When setting a new password for a user, the application does not require the user to know the original password. An attacker who is authenticated could change a user's password, enabling future access and possible configuration changes. | |||||
CVE-2017-12851 | 1 Kanboard | 1 Kanboard | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
An authenticated standard user could reset the password of the admin by altering form data. Affects kanboard before 1.0.46. | |||||
CVE-2017-12850 | 1 Kanboard | 1 Kanboard | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
An authenticated standard user could reset the password of other users (including the admin) by altering form data. Affects kanboard before 1.0.46. | |||||
CVE-2017-12161 | 1 Keycloak | 1 Keycloak | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks. | |||||
CVE-2017-1000141 | 1 Mahara | 1 Mahara | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain their own account (changing username, changing primary email address, deleting account). The correct behavior was to either prompt them for their password and/or send a warning to their primary email address. | |||||
CVE-2017-0921 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised. | |||||
CVE-2016-8716 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2024-11-21 | 3.3 LOW | 7.5 HIGH |
An exploitable Cleartext Transmission of Password vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. The Change Password functionality of the Web Application transmits the password in cleartext. An attacker capable of intercepting this traffic is able to obtain valid credentials. | |||||
CVE-2016-7038 | 1 Moodle | 1 Moodle | 2024-11-21 | 5.0 MEDIUM | 7.3 HIGH |
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. | |||||
CVE-2016-5997 | 1 Ibm | 1 Tealeaf Customer Experience | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not apply password-quality rules to password changes, which makes it easier for remote attackers to obtain access via a brute-force attack. | |||||
CVE-2016-5996 | 1 Ibm | 1 Tealeaf Customer Experience | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not enforce password-length restrictions, which makes it easier for remote attackers to obtain access via a brute-force attack. | |||||
CVE-2016-2349 | 1 Bmc | 1 Remedy Action Request System | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Remedy AR System Server in BMC Remedy 8.1 SP 2, 9.0, 9.0 SP 1, and 9.1 allows attackers to reset arbitrary passwords via a blank previous password. | |||||
CVE-2015-7257 | 1 Zte | 2 Zxv10 W300, Zxv10 W300 Firmware | 2024-11-21 | 8.5 HIGH | 7.5 HIGH |
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrator users to change the admin password by intercepting an outgoing password change request, and changing the username parameter from "support" to "admin". | |||||
CVE-2015-5172 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. | |||||
CVE-2015-4689 | 1 Ellucian | 1 Banner Student | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allows remote attackers to reset arbitrary passwords via unspecified vectors, aka "Weak Password Reset." | |||||
CVE-2015-3189 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. | |||||
CVE-2014-6412 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 5.0 MEDIUM | 8.1 HIGH |
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. |