CVE-2025-55629

Insecure permissions in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.46622503122283 allow attackers to arbitrarily change other users' passwords via manipulation of the userName value...

Brute Force

Overview vantage6-server is a Vantage6 server Affected versions of this package are vulnerable to Brute Force due to a lack of rate limiting on the password change functionality. An attacker who has gained access to an authenticated session can attempt to brute-force the user's password. They can...

vantage6 安全漏洞

vantage6 is a vantage6 open source priVAcy preserviNg federalTed leArningG infrastructure for Secure Insight eXchange. A security vulnerability exists in vantage6 versions prior to 4.11 that stems from the change password feature allowing unlimited attempts, which could lead to a brute force atta...

The vulnerability of the DataHandler module and the Setup Module of the TYPO3 content management system allows attackers to bypass security restrictions and gain unauthorized access to protected information.

The vulnerability of the DataHandler module and the Setup Module in the TYPO3 content management system is related to the lack of necessary checks during password changes. Exploiting this vulnerability allows an attacker to bypass security restrictions and gain unauthorized access to protected...

The vulnerability of the sub_41F4F0 function in D-Link DI-7003GV2 router microprogramming software allows a hacker to change the user password.

The vulnerability of the sub41F4F0 function in D-Link DI-7003GV2 router microprogramming software is related to the lack of necessary checks during password changes. Exploiting this vulnerability can allow an attacker to remotely change a user’s password...

CVE-2021-34244

A cross site request forgery CSRF vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords...

CVE-2021-21495

MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executarcentral.php?acao=altsenhaprinc URI...

CVE-2019-3467

Debian-edu-config all versions 2.11.10, a set of configuration files used for Debian Edu, and debian-lan-config 0.26, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other Kerberos user principals...

CVE-2018-20862

cPanel before 76.0.8 unsafely performs PostgreSQL password changes SEC-366...

Session Hijacking

typo3/cms is vulnerable to Session Hijacking. The vulnerability is due to insufficient authentication mechanisms where the backend user management interface allowing password changes without requiring the current password, finally allows an attacker with access to an admin session to change...

Netis Systems WF2220 访问控制错误漏洞

The Netis Systems WF2220 is a wireless USB network card from Netis Systems. An access control error vulnerability exists in the Netis Systems WF2220 version 1.2.31706, which originates from accessing the /cgi-bin-igd/netcoreset.cgi endpoint without authentication, which could lead to administrato...

Ensure That the Weak Password Dictionary Is Set Correctly

If a user password is weak, it is easy for attackers to guess the password or crack it through dictionary attacks in a short period of time. A weak password dictionary is a collection of passwords that are not strong enough and can be easily cracked through guesses. Weak passwords include default...

CVE-2025-3603

The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for...

CVE-2025-24859

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This...

CVE-2025-26010

Telesquare TLR-2005KSH 1.1.4 allows unauthorized password modification when requesting the admin.cgi parameter with setUserNamePassword...

Telesquare TLR-2005Ksh 安全漏洞

The Telesquare TLR-2005Ksh is a wireless router from the South Korean company Telesquare. A security vulnerability exists in Telesquare TLR-2005Ksh version 1.1.4, which originates from a request to the admin.cgi parameter setUserNamePassword that allows unauthorized password changes...

CVE-2024-9431

In version v0.0.14 of transformeroptimus/superagi, there is an improper privilege management vulnerability. After logging into the system, users can change the passwords of other users, leading to potential account takeover...

CVE-2025-25585

Incorrect access control in the component /config/WebSecurityConfig.java of yimioa before v2024.07.04 allows unauthorized attackers to arbitrarily modify Administrator passwords...

Exploit for Weak Password Requirements in Digitaldruid Hoteldruid

CVE-2025-25749-Weak-Password-Policy-in-HotelDruid-3.0.7 De...

PT-2025-10458

Name of the Vulnerable Software and Affected Versions: HotelDruid version 3.0.7 Description: A CSRF issue in the "gestione utenti.php" endpoint allows attackers to perform unauthorized actions, such as modifying user passwords, on behalf of authenticated users. This is due to the lack of origin o...