Total
155 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000554 | 1 Trovebox | 1 Trovebox | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
| Trovebox version <= 4.0.0-rc6 contains a Unsafe password reset token generation vulnerability in user component that can result in Password reset. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed. | |||||
| CVE-2018-10081 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
| CMS Made Simple (CMSMS) through 2.2.6 contains an admin password reset vulnerability because data values are improperly compared, as demonstrated by a hash beginning with the "0e" substring. | |||||
| CVE-2017-12161 | 1 Keycloak | 1 Keycloak | 2024-02-28 | 4.3 MEDIUM | 8.8 HIGH |
| It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks. | |||||
| CVE-2018-0787 | 1 Microsoft | 1 Asp.net Core | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability". | |||||
| CVE-2018-10210 | 1 Vaultize | 1 Enterprise File Sharing | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. Enumeration of users is possible through the password-reset feature. | |||||
| CVE-2018-11134 | 1 Quest | 1 Kace System Management Appliance | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands. One of the available commands allows changing any user's password (including root). A low-privilege user could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges. | |||||
| CVE-2017-1000141 | 1 Mahara | 1 Mahara | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain their own account (changing username, changing primary email address, deleting account). The correct behavior was to either prompt them for their password and/or send a warning to their primary email address. | |||||
| CVE-2018-8916 | 1 Synology | 1 Diskstation Manager | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
| Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification. | |||||
| CVE-2018-1000501 | 1 Instant-update | 1 Instant Update Cms | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Instant Update CMS contains a Password Reset Vulnerability vulnerability in /iu-application/controllers/administration/auth.php that can result in Account Tackover. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in v0.3.3. | |||||
| CVE-2018-12421 | 1 Ltb-project | 1 Ldap Tool Box Self Service Password | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
| LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string. | |||||
| CVE-2017-0921 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
| GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised. | |||||
| CVE-2017-8916 | 1 Cisecurity | 1 Cis-cat Pro Dashboard | 2024-02-28 | 4.6 MEDIUM | 7.8 HIGH |
| In Center for Internet Security CIS-CAT Pro Dashboard before 1.0.4, an authenticated user is able to change an administrative user's e-mail address and send a forgot password email to themselves, thereby gaining administrative access. | |||||
| CVE-2014-6412 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 5.0 MEDIUM | 8.1 HIGH |
| WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. | |||||
| CVE-2015-5172 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. | |||||
| CVE-2017-9543 | 1 Echatserver | 1 Easy Chat Server | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to reset arbitrary passwords via a crafted POST request to registresult.htm. | |||||
| CVE-2017-7629 | 1 Qnap | 1 Qts | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| QNAP QTS before 4.2.6 build 20170517 has a flaw in the change password function. | |||||
| CVE-2017-12850 | 1 Kanboard | 1 Kanboard | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
| An authenticated standard user could reset the password of other users (including the admin) by altering form data. Affects kanboard before 1.0.46. | |||||
| CVE-2017-8613 | 1 Microsoft | 1 Azure Active Directory Connect | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
| Azure AD Connect Password writeback, if misconfigured during enablement, allows an attacker to reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts aka "Azure AD Connect Elevation of Privilege Vulnerability." | |||||
| CVE-2015-3189 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2024-02-28 | 4.3 MEDIUM | 3.7 LOW |
| With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. | |||||
| CVE-2017-12851 | 1 Kanboard | 1 Kanboard | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
| An authenticated standard user could reset the password of the admin by altering form data. Affects kanboard before 1.0.46. | |||||