Total
155 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28186 | 1 Terra-master | 1 Tos | 2024-02-28 | 6.8 MEDIUM | 7.3 HIGH |
| Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. | |||||
| CVE-2021-29080 | 1 Netgear | 32 Cbr40, Cbr40 Firmware, R6900p and 29 more | 2024-02-28 | 4.8 MEDIUM | 8.1 HIGH |
| Certain NETGEAR devices are affected by password reset by an unauthenticated attacker. This affects RBK852 before 3.2.10.11, RBK853 before 3.2.10.11, RBR854 before 3.2.10.11, RBR850 before 3.2.10.11, RBS850 before 3.2.10.11, CBR40 before 2.5.0.10, R7000 before 1.0.11.116, R6900P before 1.3.2.126, R7900 before 1.0.4.38, R7960P before 1.4.1.66, R8000 before 1.0.4.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX75 before 1.0.3.102, RAX80 before 1.0.3.102, and R7000P before 1.3.2.126. | |||||
| CVE-2020-27408 | 1 Os4ed | 1 Opensis | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users. | |||||
| CVE-2020-27179 | 1 Konzept-ix | 1 Publixone | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| konzept-ix publiXone before 2020.015 allows attackers to take over arbitrary user accounts by crafting password-reset tokens. | |||||
| CVE-2020-25728 | 1 Alfresco | 1 Reset Password | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| The Reset Password add-on before 1.2.0 for Alfresco has a broken algorithm (involving an increment) that allows a malicious user to change any user's account password include the admin account. | |||||
| CVE-2020-14015 | 1 Naviwebs | 1 Navigate Cms | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Navigate CMS 2.9 r1433. When performing a password reset, a user is emailed an activation code that allows them to reset their password. There is, however, a flaw when no activation code is supplied. The system will allow an unauthorized user to continue setting a password, even though no activation code was supplied, setting the password for the most recently created user in the system (the user with the highest user id). | |||||
| CVE-2020-25105 | 1 Eramba | 1 Eramba | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
| eramba c2.8.1 and Enterprise before e2.19.3 has a weak password recovery token (createHash has only a million possibilities). | |||||
| CVE-2019-6560 | 1 Auto-maskin | 5 Dcu 210, Dcu 210 Firmware, Marine Pro Observer and 2 more | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| In Auto-Maskin RP210E Versions 3.7 and prior, DCU210E Versions 3.7 and prior and Marine Observer Pro (Android App), the software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. | |||||
| CVE-2019-19844 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
| Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) | |||||
| CVE-2019-17392 | 1 Progress | 1 Sitefinity | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled. | |||||
| CVE-2019-18818 | 1 Strapi | 1 Strapi | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. | |||||
| CVE-2012-5686 | 1 Zpanelcp | 1 Zpanel | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| ZPanel 10.0.1 has insufficient entropy for its password reset process. | |||||
| CVE-2009-5025 | 1 Pyforum Project | 1 Pyforum | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| A backdoor (aka BMSA-2009-07) was found in PyForum v1.0.3 where an attacker who knows a valid user email could force a password reset on behalf of that user. | |||||
| CVE-2019-15929 | 1 Craftcms | 1 Craft Cms | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
| In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them. | |||||
| CVE-2019-14955 | 1 Jetbrains | 1 Hub | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented. | |||||
| CVE-2020-7245 | 1 Ctfd | 1 Ctfd | 2024-02-28 | 6.8 MEDIUM | 9.8 CRITICAL |
| Incorrect username validation in the registration process of CTFd v2.0.0 - v2.2.2 allows an attacker to take over an arbitrary account if the username is known and emails are enabled on the CTFd instance. To exploit the vulnerability, one must register with a username identical to the victim's username, but with white space inserted before and/or after the username. This will register the account with the same username as the victim. After initiating a password reset for the new account, CTFd will reset the victim's account password due to the username collision. | |||||
| CVE-2019-15749 | 1 Sitos | 1 Sitos Six | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| SITOS six Build v6.2.1 allows a user to change their password and recovery email address without requiring them to confirm the change with their old password. This would allow an attacker with access to the victim's account (e.g., via XSS or an unattended workstation) to change that password and address. | |||||
| CVE-2012-5618 | 1 Ushahidi | 1 Ushahidi | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
| Ushahidi before 2.6.1 has insufficient entropy for forgot-password tokens. | |||||
| CVE-2019-20004 | 1 Intelbras | 2 Iwr 3000n, Iwr 3000n Firmware | 2024-02-28 | 4.3 MEDIUM | 8.8 HIGH |
| An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. When the administrator password is changed from a certain client IP address, administrative authorization remains available to any client at that IP address, leading to complete control of the router. | |||||
| CVE-2019-11414 | 1 Intelbras | 2 Iwr 3000n, Iwr 3000n Firmware | 2024-02-28 | 4.3 MEDIUM | 8.8 HIGH |
| An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. When the administrator password is changed from a certain client IP address, administrative authorization remains available to any client at that IP address, leading to complete control of the router. | |||||