Vulnerabilities (CVE)

Filtered by CWE-640
Total 165 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-12421 1 Ltb-project 1 Ldap Tool Box Self Service Password 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.
CVE-2017-0921 1 Gitlab 1 Gitlab 2024-02-28 6.8 MEDIUM 8.1 HIGH
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised.
CVE-2017-8916 1 Cisecurity 1 Cis-cat Pro Dashboard 2024-02-28 4.6 MEDIUM 7.8 HIGH
In Center for Internet Security CIS-CAT Pro Dashboard before 1.0.4, an authenticated user is able to change an administrative user's e-mail address and send a forgot password email to themselves, thereby gaining administrative access.
CVE-2014-6412 1 Wordpress 1 Wordpress 2024-02-28 5.0 MEDIUM 8.1 HIGH
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
CVE-2017-17097 1 Gps-server 1 Gps Tracking Software 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php.