CWE-620
AllowedUnverified Password Change
Abstraction: Base · Status: Draft
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
157 vulnerabilities reference this CWE, most recent first.
GHSA-W86J-8536-Q955
Vulnerability from github – Published: 2024-09-24 03:30 – Updated: 2024-09-24 03:30The BA Book Everything plugin for WordPress is vulnerable to arbitrary password reset in all versions up to, and including, 1.6.20. This is due to the reset_user_password() function not verifying a user's identity prior to setting a password. This makes it possible for unauthenticated attackers to reset any user's passwords, including administrators. It's important to note that the attacker will not have access to the generated password, therefore, privilege escalation is not possible.
{
"affected": [],
"aliases": [
"CVE-2024-8794"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-24T03:15:03Z",
"severity": "MODERATE"
},
"details": "The BA Book Everything plugin for WordPress is vulnerable to arbitrary password reset in all versions up to, and including, 1.6.20. This is due to the reset_user_password() function not verifying a user\u0027s identity prior to setting a password. This makes it possible for unauthenticated attackers to reset any user\u0027s passwords, including administrators. It\u0027s important to note that the attacker will not have access to the generated password, therefore, privilege escalation is not possible.",
"id": "GHSA-w86j-8536-q955",
"modified": "2024-09-24T03:30:44Z",
"published": "2024-09-24T03:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8794"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ba-book-everything/tags/1.6.20/includes/class-babe-my-account.php#L610"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ba-book-everything/tags/1.6.20/includes/class-babe-users.php#L266"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3152728/ba-book-everything/trunk/includes/class-babe-users.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e261b0e-5ca3-4f5c-acc0-41abee31b148?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WCV9-7CMW-HF38
Vulnerability from github – Published: 2025-12-11 21:31 – Updated: 2025-12-11 21:31IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password.
{
"affected": [],
"aliases": [
"CVE-2025-13148"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-11T20:15:52Z",
"severity": "HIGH"
},
"details": "IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password.",
"id": "GHSA-wcv9-7cmw-hf38",
"modified": "2025-12-11T21:31:33Z",
"published": "2025-12-11T21:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13148"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7254434"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WGX6-G857-JJF7
Vulnerability from github – Published: 2026-04-22 22:13 – Updated: 2026-05-29 21:45Summary
The OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account.
Details
The design flaw in authentication model (authentication.rb) allows for interchangeable use of password and session tokens for user authentication As old tokens are not revoked upon password reset, an attacker who has obtained a valid session token can continue to authenticate and change the account’s password even after the victim resets it, thereby maintaining persistent control over the compromised account.
PoC
- Attacker is logged in user account with hijacked valid session token, but not knowing the actual password
- Legitimate user, as preventive action, changes his password (password123) using old password (password), that he knows, then establishes new session
- Attacker issues another password change request (in web proxy like Burp) supplying his still valid token as old_password, changing it to attacker-password, from this point preventing any other legitimate users from accessing account
Impact
Persistence of an attacker who obtained valid session token and preventing legitimate users from account access
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "openc3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.10.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "openc3"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0.pre.rc1"
},
{
"fixed": "7.0.0-rc3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42084"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T22:13:10Z",
"nvd_published_at": "2026-05-04T18:16:30Z",
"severity": "HIGH"
},
"details": "### Summary\nThe OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account.\n\n### Details\nThe design flaw in authentication model ([authentication.rb](https://github.com/OpenC3/cosmos/blob/397abec0d57972881a2e8dc10902d0dce9c27f42/openc3/lib/openc3/utilities/authentication.rb)) allows for interchangeable use of password and session tokens for user authentication As old tokens are not revoked upon password reset, an attacker who has obtained a valid session token can continue to authenticate and change the account\u2019s password even after the victim resets it, thereby maintaining persistent control over the compromised account.\n\n### PoC\n1. Attacker is logged in user account with hijacked valid session token, but not knowing the actual password\n2. Legitimate user, as preventive action, changes his password (_password123_) using old password (_password_), that he knows, then establishes new session\n3. Attacker issues another password change request (in web proxy like Burp) supplying his still valid token as _old_password_, changing it to attacker-password, from this point preventing any other legitimate users from accessing account\n\u003cimg width=\"912\" height=\"479\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d27b5980-0326-40f8-bb39-657d7b1c95a0\" /\u003e\n\u003cimg width=\"923\" height=\"423\" alt=\"image\" src=\"https://github.com/user-attachments/assets/060d9fe1-637e-4a2d-9142-76612984ea28\" /\u003e\n\n### Impact\nPersistence of an attacker who obtained valid session token and preventing legitimate users from account access",
"id": "GHSA-wgx6-g857-jjf7",
"modified": "2026-05-29T21:45:03Z",
"published": "2026-04-22T22:13:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42084"
},
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenC3/cosmos"
},
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/releases/tag/v6.10.5"
},
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3/CVE-2026-42084.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence"
}
GHSA-WWGW-FWM7-PQ39
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37An Unverified Password Change issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When setting a new password for a user, the application does not require the user to know the original password. An attacker who is authenticated could change a user's password, enabling future access and possible configuration changes.
{
"affected": [],
"aliases": [
"CVE-2017-14005"
],
"database_specific": {
"cwe_ids": [
"CWE-620",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-17T22:29:00Z",
"severity": "HIGH"
},
"details": "An Unverified Password Change issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When setting a new password for a user, the application does not require the user to know the original password. An attacker who is authenticated could change a user\u0027s password, enabling future access and possible configuration changes.",
"id": "GHSA-wwgw-fwm7-pq39",
"modified": "2022-05-13T01:37:41Z",
"published": "2022-05-13T01:37:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14005"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-285-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101259"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X39M-3393-3QP4
Vulnerability from github – Published: 2025-11-14 20:56 – Updated: 2025-11-14 20:56Summary
Unverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change
The application allows changing the account email address (used as a login identifier and/or password recovery address) without verifying the requester’s authority to make that change (no confirmation to the old email, no authentication step). Because email often functions as a credential or recovery channel, unverified email changes enable attackers to take over accounts by switching the account’s recovery/login address.
Details
Occurence - code: https://github.com/FlowiseAI/Flowise/blob/main/packages/ui/src/views/account/index.jsx#L211
Remote and physical scenarios can be considered.
PoC
Repro steps: 1. As logged in user https://cloud.flowiseai.com/account scroll down to 'Profile' section 2. Change email to the new email 3. Notice Unverified Password Change (authenticated change without current password)
Later this email is needed as credentials to log in or reset password feature.
POC: Email changed, and notice "Profile updated" message.
Screenshot
Impact
Full account takeover (ATO) of affected accounts (loss of confidentiality and integrity of account data). User account recovery mechanisms (password reset flows tied to email) can be bypassed or abused if combined with this issue and the second one which I've reported (similar security issue with the password - part of credentials). (gain persistence)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "flowise-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-620"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-14T20:56:02Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nUnverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change\n\nThe application allows changing the account email address (used as a login identifier and/or password recovery address) without verifying the requester\u2019s authority to make that change (no confirmation to the old email, no authentication step). Because email often functions as a credential or recovery channel, unverified email changes enable attackers to take over accounts by switching the account\u2019s recovery/login address.\n\n### Details\nOccurence - code:\nhttps://github.com/FlowiseAI/Flowise/blob/main/packages/ui/src/views/account/index.jsx#L211\n\nRemote and physical scenarios can be considered.\n\n### PoC\n**Repro steps:**\n1. As logged in user https://cloud.flowiseai.com/account scroll down to \u0027Profile\u0027 section\n2. Change email to the new email\n3. Notice Unverified Password Change (authenticated change without current password)\n\nLater this email is needed as credentials to log in or reset password feature.\n\n**POC:**\nEmail changed, and notice \"Profile updated\" message.\n\n**Screenshot**\n\u003cimg width=\"329\" height=\"357\" alt=\"secbug\" src=\"https://github.com/user-attachments/assets/d3c77835-35bb-47dc-8cd2-83e4e266e5a4\" /\u003e\n\n\n### Impact\nFull account takeover (ATO) of affected accounts (loss of confidentiality and integrity of account data).\nUser account recovery mechanisms (password reset flows tied to email) can be bypassed or abused if combined with this issue and the second one which I\u0027ve reported (similar security issue with the password - part of credentials). (gain persistence)",
"id": "GHSA-x39m-3393-3qp4",
"modified": "2025-11-14T20:56:02Z",
"published": "2025-11-14T20:56:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4"
},
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/pull/5294"
},
{
"type": "PACKAGE",
"url": "https://github.com/FlowiseAI/Flowise"
},
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Flowise doesn\u0027t Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)"
}
GHSA-X93P-W2CH-FG67
Vulnerability from github – Published: 2025-12-10 18:20 – Updated: 2025-12-11 15:50Impact
The vulnerability is in the password change dialog in the back office. During the transition from v4 to v5 a mistake was made in the validation code which caused the validation of the previous password to not run as expected. This made it possible for a logged in user to change password in the back office without knowing the previous password. For example if someone logs in, leaves their workstation unlocked, and another person uses the same machine.
Credit
The issue was reported to us by Code-Rhapsodie. We thank them for their responsible disclosure! https://www.code-rhapsodie.fr/
Patches
- See "Patched versions".
- https://github.com/ibexa/user/commit/9d485bf385e6401c9f7ee80287d8ccd00f73dcf4
Workarounds
None.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ibexa/user"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-beta1"
},
{
"fixed": "5.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67719"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-10T18:20:55Z",
"nvd_published_at": "2025-12-11T02:16:18Z",
"severity": "CRITICAL"
},
"details": "### Impact\nThe vulnerability is in the password change dialog in the back office. During the transition from v4 to v5 a mistake was made in the validation code which caused the validation of the previous password to not run as expected. This made it possible for a logged in user to change password in the back office without knowing the previous password. For example if someone logs in, leaves their workstation unlocked, and another person uses the same machine.\n\n### Credit\nThe issue was reported to us by Code-Rhapsodie. We thank them for their responsible disclosure!\nhttps://www.code-rhapsodie.fr/\n\n### Patches\n- See \"Patched versions\".\n- https://github.com/ibexa/user/commit/9d485bf385e6401c9f7ee80287d8ccd00f73dcf4\n\n### Workarounds\nNone.",
"id": "GHSA-x93p-w2ch-fg67",
"modified": "2025-12-11T15:50:05Z",
"published": "2025-12-10T18:20:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ibexa/user/security/advisories/GHSA-x93p-w2ch-fg67"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67719"
},
{
"type": "WEB",
"url": "https://github.com/ibexa/user/commit/9d485bf385e6401c9f7ee80287d8ccd00f73dcf4"
},
{
"type": "WEB",
"url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2025-005-password-change-and-xss-vulnerabilities-in-back-office"
},
{
"type": "PACKAGE",
"url": "https://github.com/ibexa/user"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ibexa User Bundle is missing password change validation"
}
GHSA-XH2M-QFW7-QGVG
Vulnerability from github – Published: 2023-09-13 03:30 – Updated: 2024-04-04 07:38The WP User Control plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.5.3. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (in the WP User Control Widget). The function changes the user's password after providing the email. The new password is only sent to the user's email, so the attacker does not have access to the new password.
{
"affected": [],
"aliases": [
"CVE-2023-4915"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-13T03:15:09Z",
"severity": "MODERATE"
},
"details": "The WP User Control plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.5.3. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (in the WP User Control Widget). The function changes the user\u0027s password after providing the email. The new password is only sent to the user\u0027s email, so the attacker does not have access to the new password.",
"id": "GHSA-xh2m-qfw7-qgvg",
"modified": "2024-04-04T07:38:42Z",
"published": "2023-09-13T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4915"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-user-control/tags/1.5.3/inc/WPUserControlWidget.php#L893"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4ca1736-7b99-49db-9367-586dbc14df41?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When prompting for a password change, force the user to provide the original password in addition to the new password.
Mitigation
Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
No CAPEC attack patterns related to this CWE.