Common Weakness Enumeration

CWE-620

Allowed

Unverified Password Change

Abstraction: Base · Status: Draft

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

157 vulnerabilities reference this CWE, most recent first.

GHSA-7P24-RQ5Q-3RRV

Vulnerability from github – Published: 2025-10-16 15:30 – Updated: 2026-02-03 00:30
VLAI
Details

Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-16T15:15:32Z",
    "severity": "HIGH"
  },
  "details": "Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user\u0027s password.",
  "id": "GHSA-7p24-rq5q-3rrv",
  "modified": "2026-02-03T00:30:16Z",
  "published": "2025-10-16T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22381"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TID-Lab/aggie/tree/a9d5becaff3ea90720ea7213c80825e253b8a730"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bugdotexe/Vulnerability-Research/tree/main/CVE-2025-22381"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pescada-dev/CVE-2025-22381"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83JV-37P5-GC2R

Vulnerability from github – Published: 2026-03-30 12:32 – Updated: 2026-03-30 12:32
VLAI
Details

Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Oracle connection configuration to trigger an application crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T12:16:17Z",
    "severity": "MODERATE"
  },
  "details": "Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Oracle connection configuration to trigger an application crash.",
  "id": "GHSA-83jv-37p5-gc2r",
  "modified": "2026-03-30T12:32:27Z",
  "published": "2026-03-30T12:32:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25653"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46383"
    },
    {
      "type": "WEB",
      "url": "https://www.navicat.com/es"
    },
    {
      "type": "WEB",
      "url": "https://www.navicat.com/es/download/navicat-for-oracle"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/navicat-for-oracle-password-field-denial-of-service"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8477-VWG3-3X2M

Vulnerability from github – Published: 2025-07-09 06:30 – Updated: 2025-07-09 06:30
VLAI
Details

The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-09T04:16:09Z",
    "severity": "CRITICAL"
  },
  "details": "The Sala - Startup \u0026 SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user\u0027s identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
  "id": "GHSA-8477-vwg3-3x2m",
  "modified": "2025-07-09T06:30:25Z",
  "published": "2025-07-09T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4606"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/sala-startup-saas-wordpress-theme/33843955?s_rank=4"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa385a1f-1623-4f0a-bb2f-d4564b8f91bf?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8C83-CVGQ-PP7W

Vulnerability from github – Published: 2026-02-24 21:31 – Updated: 2026-02-26 03:31
VLAI
Details

EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24443"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-24T21:16:29Z",
    "severity": "HIGH"
  },
  "details": "EventSentry versions prior to 6.0.1.20\u00a0contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.",
  "id": "GHSA-8c83-cvgq-pp7w",
  "modified": "2026-02-26T03:31:17Z",
  "published": "2026-02-24T21:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24443"
    },
    {
      "type": "WEB",
      "url": "https://www.eventsentry.com/downloads/version-history"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8J63-78XQ-X2Q3

Vulnerability from github – Published: 2025-12-04 21:31 – Updated: 2025-12-08 18:30
VLAI
Details

Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to set the Administrator password and username as blank values, allowing attackers to bypass authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-63362"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-04T19:16:04Z",
    "severity": "CRITICAL"
  },
  "details": "Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to set the Administrator password and username as blank values, allowing attackers to bypass authentication.",
  "id": "GHSA-8j63-78xq-x2q3",
  "modified": "2025-12-08T18:30:25Z",
  "published": "2025-12-04T21:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63362"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://otsecverse.github.io/OTSecVerse/posts/Post-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8PG2-F5FH-MJ6F

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

A CWE-620: Unverified Password Change vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker connected to the charging station web server to modify the password of a user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-21T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A CWE-620: Unverified Password Change vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker connected to the charging station web server to modify the password of a user.",
  "id": "GHSA-8pg2-f5fh-mj6f",
  "modified": "2022-05-24T19:08:47Z",
  "published": "2022-05-24T19:08:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22773"
    },
    {
      "type": "WEB",
      "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8VGV-FFV5-269J

Vulnerability from github – Published: 2026-03-26 21:31 – Updated: 2026-03-28 03:31
VLAI
Details

An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-30458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-26T19:17:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users\u0027 password reset tokens via a mail splitting attack.",
  "id": "GHSA-8vgv-ffv5-269j",
  "modified": "2026-03-28T03:31:25Z",
  "published": "2026-03-26T21:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30458"
    },
    {
      "type": "WEB",
      "url": "https://github.com/daylightstudio/FUEL-CMS"
    },
    {
      "type": "WEB",
      "url": "https://pentest-tools.com/PTT-2025-025-Account-Takeover-via-Email-Array.pdf"
    },
    {
      "type": "WEB",
      "url": "http://daylight.com"
    },
    {
      "type": "WEB",
      "url": "http://fuelcms.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-93CQ-WG48-929M

Vulnerability from github – Published: 2025-03-01 09:30 – Updated: 2025-03-01 09:30
VLAI
Details

The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-01T07:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "The Nokri \u2013 Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s password, including administrators, and leverage that to gain access to their account.",
  "id": "GHSA-93cq-wg48-929m",
  "modified": "2025-03-01T09:30:28Z",
  "published": "2025-03-01T09:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12824"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/nokri-job-board-wordpress-theme/22677241"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60a7cce0-637f-49bd-aa4a-fd7023d99a64?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-93X3-M7PW-PPQM

Vulnerability from github – Published: 2024-05-13 14:57 – Updated: 2024-05-14 20:01
VLAI
Summary
Mantis Bug Tracker (MantisBT) allows user account takeover in the signup/reset password process
Details

Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending.

The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password.

A brute-force attack calling account_update.php with increasing user IDs is possible.

Impact

A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to.

Patches

92d11a01b195a1b6717a2f205218089158ea6d00

Workarounds

Mitigate the risk by reducing the verification token's validity (change the value of the TOKEN_EXPIRY_AUTHENTICATED constant in constants_inc.php).

References

https://mantisbt.org/bugs/view.php?id=34433

Credits

Alexander Christian, from Vantage Point Security Indonesia

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.26.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "mantisbt/mantisbt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.26.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305",
      "CWE-620"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-13T14:57:13Z",
    "nvd_published_at": "2024-05-14T15:38:28Z",
    "severity": "HIGH"
  },
  "details": "Insufficient access control in the registration and password reset process allows an attacker to reset another user\u0027s password and takeover their account, if the victim has an incomplete request pending.\n\nThe exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password.\n\nA brute-force attack calling account_update.php with increasing user IDs is possible. \n \n### Impact\n\nA successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to.\n\n### Patches\n\n92d11a01b195a1b6717a2f205218089158ea6d00\n\n### Workarounds\n\nMitigate the risk by reducing the verification token\u0027s validity (change the value of the `TOKEN_EXPIRY_AUTHENTICATED` constant in *constants_inc.php*).\n\n### References\n\nhttps://mantisbt.org/bugs/view.php?id=34433\n\n### Credits\n\nAlexander Christian, from Vantage Point Security Indonesia\n",
  "id": "GHSA-93x3-m7pw-ppqm",
  "modified": "2024-05-14T20:01:07Z",
  "published": "2024-05-13T14:57:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-93x3-m7pw-ppqm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34077"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/commit/92d11a01b195a1b6717a2f205218089158ea6d00"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mantisbt/mantisbt"
    },
    {
      "type": "WEB",
      "url": "https://mantisbt.org/bugs/view.php?id=34433"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mantis Bug Tracker (MantisBT) allows user account takeover in the signup/reset password process"
}

GHSA-94R8-MJP9-M9V4

Vulnerability from github – Published: 2025-05-09 09:33 – Updated: 2025-05-09 09:33
VLAI
Details

The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-09T07:16:04Z",
    "severity": "CRITICAL"
  },
  "details": "The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user\u0027s passwords, including administrators if the users email is known.",
  "id": "GHSA-94r8-mjp9-m9v4",
  "modified": "2025-05-09T09:33:18Z",
  "published": "2025-05-09T09:33:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2253"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/auto-stars-car-dealership-listings-wp-theme/11560490"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed0ea4a-9cbf-4033-a31f-6cb954e8ce01?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

When prompting for a password change, force the user to provide the original password in addition to the new password.

Mitigation
Architecture and Design

Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

No CAPEC attack patterns related to this CWE.