Common Weakness Enumeration

CWE-620

Allowed

Unverified Password Change

Abstraction: Base · Status: Draft

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

157 vulnerabilities reference this CWE, most recent first.

GHSA-Q45P-9X4J-2GJF

Vulnerability from github – Published: 2024-07-05 18:34 – Updated: 2024-07-08 15:31
VLAI
Details

An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via a crafted request to the Password Change mechanism.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-05T17:15:11Z",
    "severity": "HIGH"
  },
  "details": "An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via a crafted request to the Password Change mechanism.",
  "id": "GHSA-q45p-9x4j-2gjf",
  "modified": "2024-07-08T15:31:55Z",
  "published": "2024-07-05T18:34:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27715"
    },
    {
      "type": "WEB",
      "url": "https://blog.be-hacktive.com/eskooly-cve/cve-2024-27715-inadequate-password-update-verification-in-eskooly-web-product-less-than-v3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5Q5-QR9G-74CH

Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-08-13 18:31
VLAI
Details

A unverified password change in Fortinet FortiManager versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, as well as Fortinet FortiAnalyzer versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, allows an attacker to modify admin passwords via the device configuration backup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A unverified password change in Fortinet FortiManager versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, as well as Fortinet FortiAnalyzer versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, allows an attacker to modify admin passwords via the device configuration backup.",
  "id": "GHSA-q5q5-qr9g-74ch",
  "modified": "2024-08-13T18:31:15Z",
  "published": "2024-08-13T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21757"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-467"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q8F4-3C5X-8GV3

Vulnerability from github – Published: 2025-05-12 18:31 – Updated: 2025-05-12 18:31
VLAI
Details

An authenticated user attempting to change their password could do so without using the current password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46748"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-12T17:15:48Z",
    "severity": "LOW"
  },
  "details": "An authenticated user attempting to change their password could do so without using the current password.",
  "id": "GHSA-q8f4-3c5x-8gv3",
  "modified": "2025-05-12T18:31:48Z",
  "published": "2025-05-12T18:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46748"
    },
    {
      "type": "WEB",
      "url": "https://selinc.com/products/software/latest-software-versions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R5MP-Q6W8-MRH9

Vulnerability from github – Published: 2025-02-18 09:32 – Updated: 2025-02-18 09:32
VLAI
Details

The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-18T09:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "The CarSpot \u2013 Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user\u0027s password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
  "id": "GHSA-r5mp-q6w8-mrh9",
  "modified": "2025-02-18T09:32:45Z",
  "published": "2025-02-18T09:32:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12860"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1043dce-628f-485b-bc1c-b78938c2a6f5?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R95M-RM59-P2HP

Vulnerability from github – Published: 2025-06-27 09:31 – Updated: 2025-06-27 09:31
VLAI
Details

The DWT - Directory & Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user's password through the dwt_listing_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-27T09:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "The DWT - Directory \u0026 Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user\u0027s password through the dwt_listing_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
  "id": "GHSA-r95m-rm59-p2hp",
  "modified": "2025-06-27T09:31:19Z",
  "published": "2025-06-27T09:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12827"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/dwt-listing-directory-listing-wordpress-theme/21976132"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51fc7d47-2a0f-4713-9859-120321aa32dc?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RP56-X26J-363P

Vulnerability from github – Published: 2024-07-22 15:32 – Updated: 2024-07-22 15:32
VLAI
Details

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.40), SICORE Base system (All versions < V1.4.0). The password of administrative accounts of the affected applications can be reset without requiring the knowledge of the current password, given the auto login is enabled. This could allow an unauthorized attacker to obtain administrative access of the affected applications.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-22T14:15:05Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions \u003c V5.40), SICORE Base system (All versions \u003c V1.4.0). The password of administrative accounts of the affected applications can be reset without requiring the knowledge of the current password, given the auto login is enabled. This could allow an unauthorized attacker to obtain administrative access of the affected applications.",
  "id": "GHSA-rp56-x26j-363p",
  "modified": "2024-07-22T15:32:40Z",
  "published": "2024-07-22T15:32:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37998"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-071402.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V6HH-XJMV-MXF7

Vulnerability from github – Published: 2025-04-22 00:30 – Updated: 2025-04-22 00:30
VLAI
Details

A vulnerability classified as problematic was found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. This vulnerability affects unknown code of the file /api/studentPWD. The manipulation of the argument studentId leads to unverified password change. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-22T00:15:13Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic was found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. This vulnerability affects unknown code of the file /api/studentPWD. The manipulation of the argument studentId leads to unverified password change. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-v6hh-xjmv-mxf7",
  "modified": "2025-04-22T00:30:31Z",
  "published": "2025-04-22T00:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3849"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YXJ2018/SpringBoot-Vue-OnlineExam/issues/74"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.305776"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.305776"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.556283"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VR7M-2734-5H7W

Vulnerability from github – Published: 2025-10-23 15:30 – Updated: 2025-10-23 18:31
VLAI
Details

A Host Header Injection vulnerability in the password reset component in levlaz braindump v0.4.14 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links without a fixed SERVER_NAME.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-23T15:15:44Z",
    "severity": "HIGH"
  },
  "details": "A Host Header Injection vulnerability in the password reset component in levlaz braindump v0.4.14 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask\u0027s url_for(_external=True) generates reset links without a fixed SERVER_NAME.",
  "id": "GHSA-vr7m-2734-5h7w",
  "modified": "2025-10-23T18:31:14Z",
  "published": "2025-10-23T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61132"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1FmkctLdOTGMdy6GgLaTzfxemdVDeiA7J/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/BrookeYangRui/94c3bee0c2cbc1ed81a21d4448550c21"
    },
    {
      "type": "WEB",
      "url": "https://github.com/levlaz/braindump/blob/9640dd03f99851dbd34dd6cac98a747a4a591b01/app/auth/views.py#L131-L148"
    },
    {
      "type": "WEB",
      "url": "https://github.com/levlaz/braindump/blob/9640dd03f99851dbd34dd6cac98a747a4a591b01/app/templates/auth/email/reset_password.html#L1-L8"
    },
    {
      "type": "WEB",
      "url": "https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W45M-H9P7-X2WF

Vulnerability from github – Published: 2025-06-16 00:31 – Updated: 2026-01-08 21:30
VLAI
Details

A vulnerability was found in UTT 进取 750W up to 5.0 and classified as critical. Affected by this issue is the function formDefineManagement of the file /goform/setSysAdm of the component Administrator Password Handler. The manipulation of the argument passwd1 leads to unverified password change. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-16T00:15:18Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in UTT \u8fdb\u53d6 750W up to 5.0 and classified as critical. Affected by this issue is the function formDefineManagement of the file /goform/setSysAdm of the component Administrator Password Handler. The manipulation of the argument passwd1 leads to unverified password change. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-w45m-h9p7-x2wf",
  "modified": "2026-01-08T21:30:28Z",
  "published": "2025-06-16T00:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6097"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pfwqdxwdd/cve/blob/main/6.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pfwqdxwdd/cve/blob/main/6.md#poc"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.312566"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.312566"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.589425"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W84W-59G8-PMG9

Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34
VLAI
Details

A unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T17:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "A  unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request",
  "id": "GHSA-w84w-59g8-pmg9",
  "modified": "2025-04-08T18:34:42Z",
  "published": "2025-04-08T18:34:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48887"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-435"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

When prompting for a password change, force the user to provide the original password in addition to the new password.

Mitigation
Architecture and Design

Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

No CAPEC attack patterns related to this CWE.