Home
Bugtraq
Full List
Only Bugs
Only Tricks
Only Exploits
Only Dorks
Only CVE
Only CWE
Fake Notes
Ranking
CVEMAP
Full List
Show Vendors
Show Products
CWE Dictionary
Check CVE Id
Check CWE Id
Search
Bugtraq
CVEMAP
By author
CVE Id
CWE Id
By vendors
By products
RSS
Bugtraq
CVEMAP
CVE Products
Bugs
Exploits
Dorks
More
cIFrex
Facebook
Twitter
Donate
About
Submit
CWE
:
Topic
Date
Author
Med.
Password Manager 5.8 : Secret answer enumeration
23.05.2020
Clément Cruchet
Med.
Ultimate Member 2.39 Arbitrary password reset
16.06.2019
Clément Cruchet
CVEMAP Search Results
CVE
Details
Description
2021-01-19
Medium
CVE-2021-25323
Vendor:
MISP
Software:
MISP
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
2020-12-24
Medium
CVE-2020-28186
Vendor:
Terra-master
Software:
TOS
Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover.
2020-11-05
Medium
CVE-2020-15949
Vendor:
Immuta
Software:
Immuta
Immuta v2.8.2 is affected by one instance of insecure permissions that can lead to user account takeover.
2020-10-27
Medium
CVE-2020-27179
Vendor:
Konzept-ix
Software:
Publixone
konzept-ix publiXone before 2020.015 allows attackers to take over arbitrary user accounts by crafting password-reset tokens.
2020-10-05
Medium
CVE-2020-26061
Vendor:
Clickstudios
Software:
Passwordstate
ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successfully authenticated using security questions. An unauthenticated, remote attacker can send a crafted HTTP request to the /account/ResetPassword page to set a new password for any registered user.
2020-09-17
Medium
CVE-2020-25728
Vendor:
Alfresco
Software:
Reset password
The Reset Password add-on before 1.2.0 for Alfresco has a broken algorithm (involving an increment) that allows a malicious user to change any user's account password include the admin account.
2020-09-03
Medium
CVE-2020-25105
Vendor:
Eramba
Software:
Eramba
eramba c2.8.1 and Enterprise before e2.19.3 has a weak password recovery token (createHash has only a million possibilities).
2020-06-24
Medium
CVE-2020-14015
Vendor:
Naviwebs
Software:
Navigate cms
An issue was discovered in Navigate CMS 2.9 r1433. When performing a password reset, a user is emailed an activation code that allows them to reset their password. There is, however, a flaw when no activation code is supplied. The system will allow an unauthorized user to continue setting a password, even though no activation code was supplied, setting the password for the most recently created user in the system (the user with the highest user id).
Medium
CVE-2020-14016
Vendor:
Naviwebs
Software:
Navigate cms
An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password feature allows users to reset their passwords by using either their username or the email address associated with their account. However, the feature returns a not_found message when the provided username or email address does not match a user in the system. This can be used to enumerate users.
2020-04-30
Medium
CVE-2020-11027
Vendor:
Wordpress
Software:
Wordpress
In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Copyright
2021
, cxsecurity.com
Back to Top
