Total
155 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-23855 | 1 Saviynt | 1 Enterprise Identity Cloud | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x. An authentication bypass in ECM/maintenance/forgotpasswordstep1 allows an unauthenticated user to reset passwords and login as any local account. | |||||
CVE-2021-44839 | 1 Deltarm | 1 Delta Rm | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
An issue was discovered in Delta RM 1.2. It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses). | |||||
CVE-2021-27654 | 1 Pega | 1 Infinity | 2024-02-28 | 4.6 MEDIUM | 7.8 HIGH |
Forgotten password reset functionality for local accounts can be used to bypass local authentication checks. | |||||
CVE-2021-44037 | 1 Teampasswordmanager | 1 Team Password Manager | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning. | |||||
CVE-2021-25961 | 1 Salesagility | 1 Suitecrm | 2024-02-28 | 6.0 MEDIUM | 8.0 HIGH |
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id. | |||||
CVE-2021-36095 | 1 Otrs | 1 Otrs | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | |||||
CVE-2021-22763 | 1 Schneider-electric | 10 Powerlogic Pm5560, Powerlogic Pm5560 Firmware, Powerlogic Pm5561 and 7 more | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could allow an attacker administrator level access to a device. | |||||
CVE-2021-36209 | 1 Jetbrains | 1 Hub | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset. | |||||
CVE-2021-36708 | 1 Prolink | 2 Prc2402m, Prc2402m Firmware | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router. | |||||
CVE-2021-28128 | 1 Strapi | 1 Strapi | 2024-02-28 | 5.5 MEDIUM | 8.1 HIGH |
In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password. | |||||
CVE-2021-25957 | 1 Dolibarr | 1 Dolibarr | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password. | |||||
CVE-2021-36804 | 1 Akaunting | 1 Akaunting | 2024-02-28 | 5.8 MEDIUM | 8.1 HIGH |
Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications. | |||||
CVE-2021-31912 | 1 Jetbrains | 1 Teamcity | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset. | |||||
CVE-2021-33321 | 1 Liferay | 2 Dxp, Liferay Portal | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true. | |||||
CVE-2021-28293 | 1 Seceon | 1 Aisiem | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Seceon aiSIEM before 6.3.2 (build 585) is prone to an unauthenticated account takeover vulnerability in the Forgot Password feature. The lack of correct configuration leads to recovery of the password reset link generated via the password reset functionality, and thus an unauthenticated attacker can set an arbitrary password for any user. | |||||
CVE-2021-37693 | 1 Discourse | 1 Discourse | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password. | |||||
CVE-2021-37541 | 1 Jetbrains | 1 Hub | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible. | |||||
CVE-2021-22731 | 1 Schneider-electric | 32 Mcsesm043f23f0, Mcsesm043f23f0 Firmware, Mcsesm053f1cs0 and 29 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Weak Password Recovery Mechanism for Forgotten Password vulnerability exists on Modicon Managed Switch MCSESM* and MCSESP* V8.21 and prior which could cause an unauthorized password change through HTTP / HTTPS when basic user information is known by a remote attacker. | |||||
CVE-2021-25323 | 1 Misp | 1 Misp | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. | |||||
CVE-2020-5361 | 1 Dell | 1 Cpg Bios | 2024-02-28 | 7.2 HIGH | 7.6 HIGH |
Select Dell Client Commercial and Consumer platforms support a BIOS password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of unauthorized password generation tools that can generate BIOS recovery passwords. The tools, which are not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed Hard Disk Drive (HDD) passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access and BIOS pre-boot authentication. |