Insecure Password Recovery Process Abuse
Variants:
Direct
Also Known As:
Weak Password Recovery, Insufficient Password Recovery, Insecure Password Recovery Process
Vector Type:
Vulnerability
Relevance:
Generic
Layer:
Application-Level
Platforms:
Any
Target Type:
Application
Affected Mechanisms:
Input Validation, Content Security Policy
Invented In:
01/01/2000
Added In:
23/12/2014
Vector Operation Method:
The password recovery mechanism does not enforce sufficient restrictions on initiating the process, such as initiating it after accessing a source that fits the - something you have - type, such using an email or phone challenge notification, or other best practices required for a secure process initiation.
