EUVD-2023-2516

Malicious code in bioql PyPI...

EUVD-2022-50140

Malicious code in bioql PyPI...

GHSA-J6G5-P62X-58HW vantage6 lacks brute-force protection on change password functionality

Impact If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct Patches This issue has been patched in...

CVE-2025-5370

A vulnerability classified as critical was found in PHPGurukul News Portal 4.1. Affected by this vulnerability is an unknown functionality of the file /admin/forgot-password.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has...

CVE-2025-5370 PHPGurukul News Portal forgot-password.php sql injection

A vulnerability classified as critical was found in PHPGurukul News Portal 4.1. Affected by this vulnerability is an unknown functionality of the file /admin/forgot-password.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has...

CVE-2024-34336

User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality...

CVE-2023-38871

The commit 3730880 April 2023 and v.0.9-beta1 of gugoan Economizzer has a user enumeration vulnerability in the login and forgot password functionalities. The app reacts differently when a user or email address is valid, and when it's not. This may allow an attacker to determine whether a user or...

CVE-2021-31159

Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732...

CVE-2025-4907

The CVE-2025-4907 entry affects PHPGurukul Daily Expense Tracker System 1.1. A SQL injection vulnerability exists in the forgot-password.php handling of the email parameter. Descriptions from multiple sources indicate remote exploitation is possible and that exploitation details have been disclos...

CVE-2023-24052

An issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain control of the device via the change password functionality as it does not prompt for the current password...

CVE-2023-24052

An issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain control of the device via the change password functionality as it does not prompt for the current password...

CVE-2022-25027

The Forgotten Password functionality of Rocket TRUfusion Portal v7.9.2.1 allows remote attackers to bypass authentication and access restricted pages by validating the user's session token when the "Password forgotten?" button is clicked...

Injection in UserFrosting

In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account...

CVE-2021-33321

CVE-2021-33321 affects Liferay Portal 6.2.3–7.3.2 and Liferay DXP before 7.3. The root cause is an insecure default configuration where the portal.property login.secure.forgot.password should be defaulted to true, enabling remote attackers to enumerate user email addresses via the forgot-password...

PT-2021-7762 · Rockwell Automation · Isagraf Runtime

Name of the Vulnerable Software and Affected Versions: Rockwell Automation ISaGRAF Runtime versions 4.x through 5.x Description: The issue concerns the encryption of passwords used to execute privileged commands in the ISaGRAF Runtime. Specifically, a fixed key value is used with the tiny...

Input validation

An issue was discovered in Zammad 3.0 through 3.2. The Forgot Password functionality is implemented in a way that would enable an anonymous user to guess valid user emails. In the current implementation, the application responds differently depending on whether the input supplied was recognized a...

Watchguard Hard-Coded Credentials / Failed Controls

Introduction ============ Multiple vulnerabilities can be chained together in a number of WatchGuard AP products which result in pre-authenticated remote code execution. The vendor has produced a knowledge-base article1 and announcement2 regarding these issues. ZX Security would like to commend t...

RootPanel SQL Injection

============================================================ RootPanel All versions SQL injection/Account takeover. Discovery: AkaStep and CAMOUFL4G3 Vendor: http://www.rootpanel.ru/ ============================================================ What is RootPanel ? RootPanel is professional hosting...

CVE-2005-0288

The change password functionality in Bottomline Webseries Payment Application does not require the old password when users enter a new password, which could allow remote authenticated users to change other users' passwords...