Total
185 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39919 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 2.1 LOW | 4.4 MEDIUM |
| In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure. | |||||
| CVE-2021-39899 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 1.9 LOW | 2.9 LOW |
| In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations. | |||||
| CVE-2021-37693 | 1 Discourse | 1 Discourse | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password. | |||||
| CVE-2021-37541 | 1 Jetbrains | 1 Hub | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible. | |||||
| CVE-2021-36804 | 1 Akaunting | 1 Akaunting | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications. | |||||
| CVE-2021-36708 | 1 Prolink | 2 Prc2402m, Prc2402m Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router. | |||||
| CVE-2021-36209 | 1 Jetbrains | 1 Hub | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset. | |||||
| CVE-2021-36095 | 1 Otrs | 1 Otrs | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | |||||
| CVE-2021-33321 | 1 Liferay | 2 Dxp, Liferay Portal | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true. | |||||
| CVE-2021-31912 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset. | |||||
| CVE-2021-29080 | 1 Netgear | 32 Cbr40, Cbr40 Firmware, R6900p and 29 more | 2024-11-21 | 4.8 MEDIUM | 8.1 HIGH |
| Certain NETGEAR devices are affected by password reset by an unauthenticated attacker. This affects RBK852 before 3.2.10.11, RBK853 before 3.2.10.11, RBR854 before 3.2.10.11, RBR850 before 3.2.10.11, RBS850 before 3.2.10.11, CBR40 before 2.5.0.10, R7000 before 1.0.11.116, R6900P before 1.3.2.126, R7900 before 1.0.4.38, R7960P before 1.4.1.66, R8000 before 1.0.4.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX75 before 1.0.3.102, RAX80 before 1.0.3.102, and R7000P before 1.3.2.126. | |||||
| CVE-2021-29038 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers. | |||||
| CVE-2021-28293 | 1 Seceon | 1 Aisiem | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Seceon aiSIEM before 6.3.2 (build 585) is prone to an unauthenticated account takeover vulnerability in the Forgot Password feature. The lack of correct configuration leads to recovery of the password reset link generated via the password reset functionality, and thus an unauthenticated attacker can set an arbitrary password for any user. | |||||
| CVE-2021-28128 | 1 Strapi | 1 Strapi | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password. | |||||
| CVE-2021-27654 | 1 Pega | 1 Infinity | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Forgotten password reset functionality for local accounts can be used to bypass local authentication checks. | |||||
| CVE-2021-25961 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id. | |||||
| CVE-2021-25957 | 1 Dolibarr | 1 Dolibarr | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password. | |||||
| CVE-2021-25323 | 1 Misp | 1 Misp | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. | |||||
| CVE-2021-22731 | 1 Schneider-electric | 32 Mcsesm043f23f0, Mcsesm043f23f0 Firmware, Mcsesm053f1cs0 and 29 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Weak Password Recovery Mechanism for Forgotten Password vulnerability exists on Modicon Managed Switch MCSESM* and MCSESP* V8.21 and prior which could cause an unauthorized password change through HTTP / HTTPS when basic user information is known by a remote attacker. | |||||
| CVE-2020-7245 | 1 Ctfd | 1 Ctfd | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| Incorrect username validation in the registration process of CTFd v2.0.0 - v2.2.2 allows an attacker to take over an arbitrary account if the username is known and emails are enabled on the CTFd instance. To exploit the vulnerability, one must register with a username identical to the victim's username, but with white space inserted before and/or after the username. This will register the account with the same username as the victim. After initiating a password reset for the new account, CTFd will reset the victim's account password due to the username collision. | |||||