How severe is CVE-2021-36804?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2021-36804?

This is classified as CWE-640, which is a common weakness in software security.

CVE-2021-36804 - HIGH Severity | CVSS 8.1

Vulnerability Description

Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.

Related Vulnerabilities

CVE-2014-6412

HIGH

CVSS:8.1(High)

WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

CWE-6402014

CVE-2017-0921

HIGH

CVSS:8.1(High)

GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account tak...

CWE-6402017

CVE-2017-8613

HIGH

CVSS:8.1(High)

Azure AD Connect Password writeback, if misconfigured during enablement, allows an attacker to reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts aka "Az...

CWE-6402017

CVE-2018-1000812

HIGH

CVSS:8.1(High)

Artica Integria IMS version 5.0 MR56 Package 58, likely earlier versions contains a CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability in Password recovery process, line 45...

CWE-6402018

CVE-2018-12579

HIGH

CVSS:8.1(High)

An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1....

CWE-6402018

CVE-2019-12943

HIGH

CVSS:8.1(High)

TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names.

CWE-6402019