37 matches found
CVE-2018-19511
wg7.php in Webgalamb 7.0 lacks security measures to prevent CSRF attacks, as demonstrated by wg7.php?options=1 to change the administrator password...
EUVD-2019-3089
Malware in sbrugna...
EUVD-2018-0018
Malware in sbrugna...
EUVD-2024-1288
Malicious code in bioql PyPI...
EUVD-2024-48129
Malicious code in bioql PyPI...
EUVD-2024-0197
Malicious code in bioql PyPI...
CVE-2025-48476 FreeScout Has Business Logic Errors
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when adding and editing user records using the fill method, there is no check for the absence of the password field in the data coming from the user, which leads to a mass-assignment vulnerability. As a result...
CVE-2023-29975
An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification...
CVE-2022-21652
Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a customer account...
CVE-2021-25940
In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system...
CVE-2021-25323
The default setting of MISP 2.4.136 did not enable the requirements aka requirepasswordconfirmation to provide the previous password when changing a password...
CVE-2021-3740
A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a...
CVE-2013-5116
Evernote prior to 5.5.1 has insecure password change...
CVE-2019-15299
An issue was discovered in Centreon Web through 19.04.3. When a user changes his password on his profile page, the contactautologinkey field in the database becomes blank when it should be NULL. This makes it possible to partially bypass authentication...
CVE-2008-7289
IBM Tivoli Directory Server TDS 5.2 before 5.2.0.5-TIV-ITDS-LA0007 does not properly handle the simultaneous changing of multiple passwords, which makes it easier for remote authenticated users to cause a denial of service DB2 daemon deadlock by making password changes that trigger updates to a D...
TYPO3 9.0.0 < 9.5.51 ELTS / 10.0.0 < 10.4.50 ELTS / 11.0.0 < 11.5.44 ELTS / 12.0.0 < 12.4.31 / 13.0.0 < 13.4.12 (TYPO3-CORE-SA-2025-013)
The version of TYPO3 installed on the remote host is 9.0.0 prior to 9.5.51 ELTS / 10.0.0 prior to 10.4.50 ELTS / 11.0.0 prior to 11.5.44 ELTS / 12.0.0 prior to 12.4.31 / 13.0.0 prior to 13.4.12. It is, therefore, affected by a vulnerability as referenced in the TYPO3-CORE-SA-2025-013 advisory. -...
PT-2025-19824 · WordPress · Reales Wp Stpt
Name of the Vulnerable Software and Affected Versions: Reales WP STPT plugin for WordPress versions up to and including 2.1.2 Description: The issue arises from the plugin's failure to properly validate a user's identity before updating their details, such as the password. This allows authenticat...
CVE-2024-47784
Unverified Password Change for ANC software that allows an authenticated attacker to bypass the old Password check in the password change form via a web HMI This issue affects ANC software version 1.1.4 and earlier...
Citrix FAS Cloud: Session logon hangs after password change when launching application
User has the password expired or "set at next logon" flag is set. However, user is able to login to workspace due to the cached credentials being used. When user launches an app they are prompted to change their AD password. Once this is complete, message to confirm password change is successful,...
CVE-2025-24859
A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This...