CWE-640: Weak Password Recovery Mechanism for Forgotten Password
low-riskThe product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Abstraction: Base
Common Consequences
Access Control
→
Gain Privileges or Assume Identity
Availability
→
DoS: Resource Consumption (Other)
Integrity
→
Other
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2019-18818 | 9.8 | 94.0% | — |
| CVE-2023-7028 | 10.0 | 93.5% | Y |
| CVE-2023-7028 | 10.0 | 93.5% | Y |
| CVE-2017-7615 | 8.8 | 92.5% | — |
| CVE-2017-8295 | 5.9 | 77.1% | — |
| CVE-2024-2862 | 9.1 | 74.5% | — |
| CVE-2020-11027 | 6.1 | 42.6% | — |
| CVE-2017-17097 | 9.8 | 36.9% | — |
| CVE-2020-28186 | 7.3 | 30.0% | — |
| CVE-2025-6216 | 9.8 | 30.0% | — |
8
/ 100
low-risk
Active Threat
7/50 · Minimal
Exploit Availability
1/50 · Minimal