Cross-site Request Forgery (CSRF)

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the sendlogin process in modules/registration.php when a registration-administrator visits a...

Received an Instagram password reset email? Here’s what you need to know

Last week, many Instagram users began receiving unsolicited emails from the platform that warned about a password reset request. The message said: “Hi username, We got a request to reset your Instagram password. If you ignore this message, your password will not be changed. If you didn’t request ...

CVE-2024-32642

Masa CMS is vulnerable to host header poisoning before versions 7.2.8, 7.3.13, and 7.4.6. This defect can enable account takeover via the password reset email by manipulating the host header. The issue is fixed in 7.2.8, 7.3.13, and 7.4.6. Remediation is to upgrade Masa CMS to one of the fixed ve...

EUVD-2024-30444

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6...

CVE-2024-32642 Host header poisoning allows account takeover via password reset email

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6...

CVE-2024-32642 Host header poisoning allows account takeover via password reset email

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6...

ROS-20251113-02

The Webmin hosting control panel vulnerability involves manipulating the Host header to inject a malicious domain into a password reset email. malicious domain in a password reset link email. Exploitation of the vulnerability could allow an attacker acting remotely to intercept the password reset...

CVE-2025-53522

Movable Type contains an issue with use of less trusted source. If exploited, tampered email to reset a password may be sent by a remote unauthenticated attacker...

Movable Type 安全漏洞

Movable Type is a content management system from Movable Type, Inc. A security vulnerability exists in Movable Type that stems from the use of a low-trustworthy source, which could lead to a remote, unauthenticated attacker sending a doctored password reset email...

CVE-2025-27568

An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request...

CVE-2025-27568

An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request...

CVE-2025-1108

Insufficient data authenticity verification vulnerability in Janto, versions prior to r12. This allows an unauthenticated attacker to modify the content of emails sent to reset the password. To exploit the vulnerability, the attacker must create a POST request by injecting malicious content into...

CVE-2024-8979

The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'initcontentlostpassworduseremailcontrols' function. This makes it...

PT-2024-1901 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 16.1 through 16.7.5 GitLab CE/EE versions 16.8 through 16.8.2 GitLab CE/EE versions 16.9 through 16.9.0 Description: An issue has been discovered affecting GitLab CE/EE, where under some specialized conditions, an LDAP...

PT-2023-23713 · Silverstripe · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: Silverstripe Framework versions prior to 4.13.4 Silverstripe Framework versions prior to 5.0.13 Description: The issue arises when a new member record is created without setting a password, resulting in an empty encrypted password. If an...

PT-2022-5543 · Owncloud · Owncloud Server

Name of the Vulnerable Software and Affected Versions: ownCloud Server versions prior to 10.11 Description: The issue is related to a misconfiguration in the ownCloud Server Docker image that affects the trusted domains config, making it useless. This could be exploited to spoof the URL in...

Popular PyPI Package 'ctx' and PHP Library 'phpass' Hijacked to Steal AWS Keys

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem. One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package...

Information Disclosure

livehelperchat is vulnerable to information disclosure. The vulnerability exists in forgotpasswordsent.tpl.php because the error message indicates the password reset email sent which allows an attacker to gain access to sensitive information of an existing account...

UPchieve: No Rate Limiting for Password Reset Email Leads to Email Flooding

There is "No Rate Limiting" implemented in sending the Password Reset Email. Thus, attacker can use this Vulnerability to bomb out the Email Inbox of the victim. Affected URL : https://hackers.upchieve.org/resetpassword Steps to Reproduce: 1. Log In to : https://hackers.upchieve.org/ 2. Go To :...

CVE-2021-37541

In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible...