Total
170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-13240 | 1 Glpi-project | 1 Glpi | 2024-08-04 | N/A |
| An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address. | ||||
| CVE-2019-12943 | 1 Ttlock | 1 Ttlock | 2024-08-04 | 8.1 High |
| TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names. | ||||
| CVE-2019-12476 | 2 Microsoft, Zohocorp | 2 Windows, Manageengine Adselfservice Plus | 2024-08-04 | N/A |
| An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input. | ||||
| CVE-2019-11414 | 1 Intelbras | 2 Iwr 3000n, Iwr 3000n Firmware | 2024-08-04 | N/A |
| An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. When the administrator password is changed from a certain client IP address, administrative authorization remains available to any client at that IP address, leading to complete control of the router. | ||||
| CVE-2019-11393 | 1 Tildeslash | 1 Monit | 2024-08-04 | N/A |
| An issue was discovered in /admin/users/update in M/Monit before 3.7.3. It allows unprivileged users to escalate their privileges to an administrator by requesting a password change and specifying the admin parameter. | ||||
| CVE-2019-10641 | 1 Contao | 1 Contao Cms | 2024-08-04 | N/A |
| Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password. | ||||
| CVE-2019-10270 | 1 Ultimatemember | 1 Ultimate Member | 2024-08-04 | 8.8 High |
| An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key sent by mail and the user_id parameter) to reset the password of another user. One only needs to know the user_id, which is publicly available. One just has to intercept the password modification request and modify user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation. | ||||
| CVE-2019-6560 | 1 Auto-maskin | 5 Dcu 210, Dcu 210 Firmware, Marine Pro Observer and 2 more | 2024-08-04 | 9.1 Critical |
| In Auto-Maskin RP210E Versions 3.7 and prior, DCU210E Versions 3.7 and prior and Marine Observer Pro (Android App), the software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. | ||||
| CVE-2020-28186 | 1 Terra-master | 1 Tos | 2024-08-04 | 7.3 High |
| Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. | ||||
| CVE-2020-27408 | 1 Os4ed | 1 Opensis | 2024-08-04 | 7.5 High |
| OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users. | ||||
| CVE-2020-27179 | 1 Konzept-ix | 1 Publixone | 2024-08-04 | 9.8 Critical |
| konzept-ix publiXone before 2020.015 allows attackers to take over arbitrary user accounts by crafting password-reset tokens. | ||||
| CVE-2020-25728 | 1 Alfresco | 1 Reset Password | 2024-08-04 | 8.8 High |
| The Reset Password add-on before 1.2.0 for Alfresco has a broken algorithm (involving an increment) that allows a malicious user to change any user's account password include the admin account. | ||||
| CVE-2020-25105 | 1 Eramba | 1 Eramba | 2024-08-04 | 9.8 Critical |
| eramba c2.8.1 and Enterprise before e2.19.3 has a weak password recovery token (createHash has only a million possibilities). | ||||
| CVE-2020-14016 | 1 Naviwebs | 1 Navigate Cms | 2024-08-04 | 5.3 Medium |
| An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password feature allows users to reset their passwords by using either their username or the email address associated with their account. However, the feature returns a not_found message when the provided username or email address does not match a user in the system. This can be used to enumerate users. | ||||
| CVE-2020-14015 | 1 Naviwebs | 1 Navigate Cms | 2024-08-04 | 7.5 High |
| An issue was discovered in Navigate CMS 2.9 r1433. When performing a password reset, a user is emailed an activation code that allows them to reset their password. There is, however, a flaw when no activation code is supplied. The system will allow an unauthorized user to continue setting a password, even though no activation code was supplied, setting the password for the most recently created user in the system (the user with the highest user id). | ||||
| CVE-2020-12067 | 1 Pilz | 1 Pmc | 2024-08-04 | 7.5 High |
| In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user's password may be changed by an attacker without knowledge of the current password. | ||||
| CVE-2020-11027 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-08-04 | 6.1 Medium |
| In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | ||||
| CVE-2020-7245 | 1 Ctfd | 1 Ctfd | 2024-08-04 | 9.8 Critical |
| Incorrect username validation in the registration process of CTFd v2.0.0 - v2.2.2 allows an attacker to take over an arbitrary account if the username is known and emails are enabled on the CTFd instance. To exploit the vulnerability, one must register with a username identical to the victim's username, but with white space inserted before and/or after the username. This will register the account with the same username as the victim. After initiating a password reset for the new account, CTFd will reset the victim's account password due to the username collision. | ||||
| CVE-2021-44839 | 1 Deltarm | 1 Delta Rm | 2024-08-04 | 6.5 Medium |
| An issue was discovered in Delta RM 1.2. It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses). | ||||
| CVE-2021-44037 | 1 Teampasswordmanager | 1 Team Password Manager | 2024-08-04 | 7.5 High |
| Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning. | ||||