目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-620 未经验证的口令修改 类漏洞列表 68

CWE-620 未经验证的口令修改 类弱点 68 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-620 属于身份验证缺陷,指系统在修改用户密码时未验证原始密码或实施其他身份确认机制。攻击者可利用此漏洞,在无需知晓原密码的情况下篡改他人账户凭证,从而非法获取目标用户的系统权限与敏感数据。开发者应强制要求用户在更改密码前提供旧密码或完成多因素认证,确保操作者确为账户合法持有者,以阻断未授权访问风险。

MITRE CWE 官方描述
CWE:CWE-620 Unverified Password Change(未经验证的密码更改) 英文:在为某用户设置新密码时,该产品未要求提供原始密码的知识,或未使用其他形式的身份验证。 攻击者可能利用此漏洞更改其他用户的密码,从而获得与该用户关联的权限。
常见影响 (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
缓解措施 (2)
Architecture and DesignWhen prompting for a password change, force the user to provide the original password in addition to the new password.
Architecture and DesignDo not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
代码示例 (1)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2026-42084 OpenC3 COSMOS 会话令牌劫持致密码重置漏洞 — cosmos 8.1 High2026-05-04
CVE-2026-40588 blueprintUE self-hosted edition 安全漏洞 — blueprintue-self-hosted-edition 8.1 High2026-04-21
CVE-2019-25653 Navicat 安全漏洞 — Navicat for Oracle 6.2 Medium2026-03-30
CVE-2026-27757 SODOLA SL902-SWTGW124AS 安全漏洞 — SODOLA SL902-SWTGW124AS 7.1 High2026-02-27
CVE-2026-24443 NETIKUS EventSentry 安全漏洞 — EventSentry 8.8 -2026-02-24
CVE-2026-2543 vichan 授权问题漏洞 — vichan 2.7 Low2026-02-16
CVE-2026-24440 Tenda W30E 安全漏洞 — W30E V2 9.1AICriticalAI2026-01-26
CVE-2025-14751 Weintek cMT X Series 安全漏洞 — cMT3072XH 8.8AIHighAI2026-01-22
CVE-2025-11235 Progress MOVEit Transfer 安全漏洞 — MOVEit Transfer 3.7 Low2026-01-06
CVE-2025-13148 IBM Aspera Orchestrator 安全漏洞 — Aspera Orchestrator 8.1 High2025-12-11
CVE-2025-67719 Ibexa User Bundle 安全漏洞 — user 9.8AICriticalAI2025-12-11
CVE-2025-59808 Fortinet FortiSOAR PaaS和Fortinet FortiSOAR on-premise 安全漏洞 — FortiSOAR on-premise 6.5 Medium2025-12-09
CVE-2025-62425 Matrix Authentication Service 安全漏洞 — matrix-authentication-service 8.3 High2025-10-16
CVE-2025-9286 WordPress plugin Appy Pie Connect for WooCommerce 安全漏洞 — Appy Pie Connect for WooCommerce 9.8 Critical2025-10-03
CVE-2025-10159 Sophos AP6 Series 安全漏洞 — AP6 Series Wireless Access Points 9.8 Critical2025-09-09
CVE-2025-46389 Emby MediaBrowser 安全漏洞 — MediaBrowser 6.5 Medium2025-08-06
CVE-2025-4606 WordPress plugin Sala 安全漏洞 — Sala - Startup & SaaS WordPress Theme 9.8 Critical2025-07-09
CVE-2024-12827 WordPress plugin DWT - Directory & Listing 安全漏洞 — DWT - Directory & Listing WordPress Theme 9.8 Critical2025-06-27
CVE-2025-6097 UTT 进取 750W 安全漏洞 — 进取 750W 5.3 Medium2025-06-16
CVE-2025-5482 WordPress plugin Sunshine Photo Cart 安全漏洞 — Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers 8.8 High2025-06-04
CVE-2025-47938 TYPO3 安全漏洞 — typo3 3.8 Low2025-05-20
CVE-2025-4322 WordPress plugin Motors 安全漏洞 — Motors - Car Dealer, Rental & Listing WordPress theme 9.8 Critical2025-05-20
CVE-2025-4903 D-Link DI-7003GV2 安全漏洞 — DI-7003GV2 5.3 Medium2025-05-19
CVE-2025-46748 Schweitzer Engineering Laboratories多款产品 安全漏洞 — SEL Blueframe OS 2.7 Low2025-05-12
CVE-2025-4558 WormHole Tech GPM 安全漏洞 — GPM 9.8 Critical2025-05-12
CVE-2025-4552 ContiNew Admin 安全漏洞 — ContiNew Admin 5.4 Medium2025-05-11
CVE-2025-2253 WordPress plugin IMITHEMES Listing 安全漏洞 — IMITHEMES Listing 9.8 Critical2025-05-09
CVE-2024-47784 ABB ANC 安全漏洞 — ANC 2.6 Low2025-04-30
CVE-2025-3603 WordPress plugin Flynax Bridge 安全漏洞 — Flynax Bridge 9.8 Critical2025-04-24
CVE-2025-3793 WordPress plugin Buddypress Force Password Change 安全漏洞 — Buddypress Force Password Change 4.2 Medium2025-04-24

CWE-620(未经验证的口令修改) 是常见的弱点类别,本平台收录该类弱点关联的 68 条 CVE 漏洞。