Total
170 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-6203 | 1 Haloservicesolutions | 1 Haloitsm | 2024-08-29 | 8.3 High |
HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users (given their email address is known). When these poisoned links get accessed (e.g. manually by the victim or automatically by an email client software), the password reset token is leaked to the malicious actor, allowing them to set a new password for the victim's account.This potentially leads to account takeover attacks.HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability. | ||||
CVE-2024-42915 | 1 Staff Appraisal System | 1 Staff Appraisal System | 2024-08-23 | 8 High |
A host header injection vulnerability in Staff Appraisal System v1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This will allow attackers to arbitrarily reset other users' passwords and compromise their accounts. | ||||
CVE-2024-38287 | 2 R-hub, Rhubcom | 2 Turbomeeting, Turbomeeting | 2024-08-13 | 9.1 Critical |
The password-reset mechanism in the Forgot Password functionality in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to force the application into resetting the administrator's password to a random insecure 8-digit value. | ||||
CVE-2024-38468 | 1 Guoxinled | 1 Synthesis Image System | 2024-08-07 | 9.8 Critical |
Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized password resets via the resetPassword API. | ||||
CVE-2009-5025 | 1 Pyforum Project | 1 Pyforum | 2024-08-07 | 7.5 High |
A backdoor (aka BMSA-2009-07) was found in PyForum v1.0.3 where an attacker who knows a valid user email could force a password reset on behalf of that user. | ||||
CVE-2012-5686 | 1 Zpanelcp | 1 Zpanel | 2024-08-06 | 9.8 Critical |
ZPanel 10.0.1 has insufficient entropy for its password reset process. | ||||
CVE-2012-5618 | 1 Ushahidi | 1 Ushahidi | 2024-08-06 | 9.8 Critical |
Ushahidi before 2.6.1 has insufficient entropy for forgot-password tokens. | ||||
CVE-2014-6412 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. | ||||
CVE-2015-10071 | 1 Gitter | 1 Ez Publish Modern Legacy | 2024-08-06 | 2.6 Low |
A vulnerability was found in gitter-badger ezpublish-modern-legacy. It has been rated as problematic. This issue affects some unknown processing of the file kernel/user/forgotpassword.php. The manipulation leads to weak password recovery. The complexity of an attack is rather high. The exploitation is known to be difficult. Upgrading to version 1.0 is able to address this issue. The patch is named 5908d5ee65fec61ce0e321d586530461a210bf2a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218951. | ||||
CVE-2015-7257 | 1 Zte | 2 Zxv10 W300, Zxv10 W300 Firmware | 2024-08-06 | N/A |
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrator users to change the admin password by intercepting an outgoing password change request, and changing the username parameter from "support" to "admin". | ||||
CVE-2015-5172 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2024-08-06 | 9.8 Critical |
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. | ||||
CVE-2015-4689 | 1 Ellucian | 1 Banner Student | 2024-08-06 | N/A |
Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allows remote attackers to reset arbitrary passwords via unspecified vectors, aka "Weak Password Reset." | ||||
CVE-2015-3189 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2024-08-06 | 3.7 Low |
With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. | ||||
CVE-2016-8716 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2024-08-06 | 7.5 High |
An exploitable Cleartext Transmission of Password vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. The Change Password functionality of the Web Application transmits the password in cleartext. An attacker capable of intercepting this traffic is able to obtain valid credentials. | ||||
CVE-2016-7038 | 1 Moodle | 1 Moodle | 2024-08-06 | N/A |
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. | ||||
CVE-2016-5997 | 1 Ibm | 1 Tealeaf Customer Experience | 2024-08-06 | N/A |
The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not apply password-quality rules to password changes, which makes it easier for remote attackers to obtain access via a brute-force attack. | ||||
CVE-2016-5996 | 1 Ibm | 1 Tealeaf Customer Experience | 2024-08-06 | N/A |
The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 does not enforce password-length restrictions, which makes it easier for remote attackers to obtain access via a brute-force attack. | ||||
CVE-2016-2349 | 1 Bmc | 1 Remedy Action Request System | 2024-08-05 | N/A |
Remedy AR System Server in BMC Remedy 8.1 SP 2, 9.0, 9.0 SP 1, and 9.1 allows attackers to reset arbitrary passwords via a blank previous password. | ||||
CVE-2017-1000141 | 1 Mahara | 1 Mahara | 2024-08-05 | N/A |
An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain their own account (changing username, changing primary email address, deleting account). The correct behavior was to either prompt them for their password and/or send a warning to their primary email address. | ||||
CVE-2017-17097 | 1 Gps-server | 1 Gps Tracking Software | 2024-08-05 | N/A |
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php. |