Total
191 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-22691 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | 6.8 Medium |
| The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. A related vulnerability (CVE-2022-22690) could allow this flaw to become persistent so that all password reset URLs are affected persistently following a successful attack. See the AppCheck advisory for further information and associated caveats. | ||||
| CVE-2022-0777 | 1 Microweber | 1 Microweber | 2024-11-21 | 7.5 High |
| Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3. | ||||
| CVE-2021-44839 | 1 Deltarm | 1 Delta Rm | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Delta RM 1.2. It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses). | ||||
| CVE-2021-44037 | 1 Teampasswordmanager | 1 Team Password Manager | 2024-11-21 | 7.5 High |
| Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning. | ||||
| CVE-2021-43498 | 1 Atutor | 1 Atutor | 2024-11-21 | 7.5 High |
| An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set. | ||||
| CVE-2021-39919 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.4 Medium |
| In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure. | ||||
| CVE-2021-39899 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 2.9 Low |
| In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations. | ||||
| CVE-2021-37693 | 1 Discourse | 1 Discourse | 2024-11-21 | 5.3 Medium |
| Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password. | ||||
| CVE-2021-37541 | 1 Jetbrains | 1 Hub | 2024-11-21 | 6.1 Medium |
| In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible. | ||||
| CVE-2021-36804 | 1 Akaunting | 1 Akaunting | 2024-11-21 | 5.4 Medium |
| Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications. | ||||
| CVE-2021-36708 | 1 Prolink | 2 Prc2402m, Prc2402m Firmware | 2024-11-21 | 7.5 High |
| In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router. | ||||
| CVE-2021-36209 | 1 Jetbrains | 1 Hub | 2024-11-21 | 9.8 Critical |
| In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset. | ||||
| CVE-2021-36095 | 1 Otrs | 1 Otrs | 2024-11-21 | 5.3 Medium |
| Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | ||||
| CVE-2021-33321 | 1 Liferay | 2 Dxp, Liferay Portal | 2024-11-21 | 7.5 High |
| Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true. | ||||
| CVE-2021-31912 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 8.8 High |
| In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset. | ||||
| CVE-2021-29080 | 1 Netgear | 32 Cbr40, Cbr40 Firmware, R6900p and 29 more | 2024-11-21 | 8.1 High |
| Certain NETGEAR devices are affected by password reset by an unauthenticated attacker. This affects RBK852 before 3.2.10.11, RBK853 before 3.2.10.11, RBR854 before 3.2.10.11, RBR850 before 3.2.10.11, RBS850 before 3.2.10.11, CBR40 before 2.5.0.10, R7000 before 1.0.11.116, R6900P before 1.3.2.126, R7900 before 1.0.4.38, R7960P before 1.4.1.66, R8000 before 1.0.4.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX75 before 1.0.3.102, RAX80 before 1.0.3.102, and R7000P before 1.3.2.126. | ||||
| CVE-2021-29038 | 2024-11-21 | 6.3 Medium | ||
| Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers. | ||||
| CVE-2021-28293 | 1 Seceon | 1 Aisiem | 2024-11-21 | 9.8 Critical |
| Seceon aiSIEM before 6.3.2 (build 585) is prone to an unauthenticated account takeover vulnerability in the Forgot Password feature. The lack of correct configuration leads to recovery of the password reset link generated via the password reset functionality, and thus an unauthenticated attacker can set an arbitrary password for any user. | ||||
| CVE-2021-28128 | 1 Strapi | 1 Strapi | 2024-11-21 | 8.1 High |
| In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password. | ||||
| CVE-2021-27654 | 1 Pega | 1 Infinity | 2024-11-21 | 7.8 High |
| Forgotten password reset functionality for local accounts can be used to bypass local authentication checks. | ||||