Total
165 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5840 | 1 Linkstack | 1 Linkstack | 2024-02-28 | N/A | 8.8 HIGH |
| Weak Password Recovery Mechanism for Forgotten Password in GitHub repository linkstackorg/linkstack prior to v4.2.9. | |||||
| CVE-2023-35134 | 1 Weintek | 1 Weincloud | 2024-02-28 | N/A | 5.9 MEDIUM |
| Weintek Weincloud v0.13.6 could allow an attacker to reset a password with the corresponding account’s JWT token only. | |||||
| CVE-2023-34357 | 1 Scshr | 1 Hr Portal | 2024-02-28 | N/A | 7.8 HIGH |
| Soar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for Forgotten Password. The reset password link sent out through e-mail, and the link will remain valid after the password has been reset and after the expected expiration date. An attacker with access to the browser history or has the line can thus use the URL again to change the password in order to take over the account. | |||||
| CVE-2023-31459 | 1 Mitel | 1 Mivoice Connect | 2024-02-28 | N/A | 8.8 HIGH |
| A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect versions 9.6.2208.101 and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because the initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands. | |||||
| CVE-2022-45637 | 1 Megafeis | 1 Bofei Dbd\+ | 2024-02-28 | N/A | 9.8 CRITICAL |
| An insecure password reset issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & Android v1.4.4 service via insecure expiry mechanism. | |||||
| CVE-2023-26615 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2024-02-28 | N/A | 7.5 HIGH |
| D-Link DIR-823G firmware version 1.02B05 has a password reset vulnerability, which originates from the SetMultipleActions API, allowing unauthorized attackers to reset the WEB page management password. | |||||
| CVE-2021-36436 | 1 Mobicint | 1 Mobicint | 2024-02-28 | N/A | 5.3 MEDIUM |
| An issue in Mobicint Backend for Credit Unions v3 allows attackers to retrieve partial email addresses and user entered information via submission to the forgotten-password endpoint. | |||||
| CVE-2023-31287 | 1 Serenity | 2 Serene, Startsharp | 2024-02-28 | N/A | 7.8 HIGH |
| An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the password of the corresponding user. The token expires only 3 hours after issuance and is sent as a query parameter when resetting. An attacker with access to the browser history can thus use the token again to change the password in order to take over the account. | |||||
| CVE-2023-28821 | 1 Concretecms | 1 Concrete Cms | 2024-02-28 | N/A | 5.3 MEDIUM |
| Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets. | |||||
| CVE-2023-30466 | 1 Milesight | 40 Ms-n1004-uc, Ms-n1004-uc Firmware, Ms-n1004-upc and 37 more | 2024-02-28 | N/A | 9.8 CRITICAL |
| This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to a weak password reset mechanism at the Milesight NVR web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http requests on the targeted device. Successful exploitation of this vulnerability could allow remote attacker to account takeover on the targeted device. | |||||
| CVE-2022-47377 | 1 Sick | 2 Sim2000 Firmware, Sim2000st | 2024-02-28 | N/A | 9.8 CRITICAL |
| Password recovery vulnerability in SICK SIM2000ST Partnumber 2086502 with firmware version <1.13.4 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to an increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. The recommended solution is to update the firmware to a version >= 1.13.4 as soon as possible (available in SICK Support Portal). | |||||
| CVE-2022-25027 | 1 Rocketsoftware | 1 Trufusion Enterprise | 2024-02-28 | N/A | 7.5 HIGH |
| The Forgotten Password functionality of Rocket TRUfusion Portal v7.9.2.1 allows remote attackers to bypass authentication and access restricted pages by validating the user's session token when the "Password forgotten?" button is clicked. | |||||
| CVE-2020-12067 | 1 Pilz | 1 Pmc | 2024-02-28 | N/A | 7.5 HIGH |
| In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user's password may be changed by an attacker without knowledge of the current password. | |||||
| CVE-2022-3485 | 1 Ifm | 4 Moneo Qha200, Moneo Qha200 Firmware, Moneo Qha210 and 1 more | 2024-02-28 | N/A | 9.8 CRITICAL |
| In IFM Moneo Appliance with version up to 1.9.3 an unauthenticated remote attacker can reset the administrator password by only supplying the serial number and thus gain full control of the device. | |||||
| CVE-2022-26872 | 1 Ami | 1 Megarac Sp-x | 2024-02-28 | N/A | 8.8 HIGH |
| AMI Megarac Password reset interception via API | |||||
| CVE-2022-23172 | 1 Priority-software | 1 Priority | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not. | |||||
| CVE-2022-34530 | 1 Backdropcms | 1 Backdrop Cms | 2024-02-28 | N/A | 5.3 MEDIUM |
| An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames. | |||||
| CVE-2022-37300 | 1 Schneider-electric | 70 Ecostruxure Control Expert, Ecostruxure Process Expert, Modicon M340 Bmxp341000 and 67 more | 2024-02-28 | N/A | 9.8 CRITICAL |
| A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior). | |||||
| CVE-2022-44004 | 1 Backclick | 1 Backclick | 2024-02-28 | N/A | 9.8 CRITICAL |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to insecure design or lack of authentication, unauthenticated attackers can complete the password-reset process for any account and set a new password. | |||||
| CVE-2021-43498 | 1 Atutor | 1 Atutor | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set. | |||||