WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account tak...

Azure AD Connect Password writeback, if misconfigured during enablement, allows an attacker to reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts aka "Az...

Artica Integria IMS version 5.0 MR56 Package 58, likely earlier versions contains a CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability in Password recovery process, line 45...

TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names.

In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an a...