Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-620 (未经验证的口令修改) — Vulnerability Class 68

68 vulnerabilities classified as CWE-620 (未经验证的口令修改). AI Chinese analysis included.

CWE-620 represents a critical authentication weakness where software allows password modifications without verifying the user’s current identity. This flaw typically arises when applications accept new credentials based solely on a username or session token, bypassing the requirement for the original password or multi-factor authentication. Attackers exploit this vulnerability by intercepting valid user sessions or manipulating requests to reset passwords for other accounts, thereby gaining unauthorized access to sensitive data and elevated privileges. To mitigate this risk, developers must enforce strict verification protocols during password changes. This includes requiring the current password, implementing time-limited reset tokens sent via secure channels, and validating session integrity. By ensuring that only the legitimate account holder can authorize changes, organizations effectively prevent account takeover attacks and maintain robust user authentication standards.

MITRE CWE Description
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
Mitigations (2)
Architecture and DesignWhen prompting for a password change, force the user to provide the original password in addition to the new password.
Architecture and DesignDo not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
Examples (1)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2025-3607 Frontend Login and Registration Blocks <= 1.0.8 - Authenticated (Subscriber+) Privilege Escalation via Password Reset — Login, Registration and Lost Password Blocks 8.8 High2025-04-24
CVE-2025-3849 YXJ2018 SpringBoot-Vue-OnlineExam studentPWD unverified password change — SpringBoot-Vue-OnlineExam 4.3 Medium2025-04-21
CVE-2024-48887 Fortinet FortiSwitch 安全漏洞 — FortiSwitch 9.3 Critical2025-04-08
CVE-2024-41796 Siemens SENTRON 7KT PAC1260 Data Manager 安全漏洞 — SENTRON 7KT PAC1260 Data Manager 6.5 Medium2025-04-08
CVE-2024-9431 Improper Privilege Management in transformeroptimus/superagi — transformeroptimus/superagi 8.8 -2025-03-20
CVE-2024-13373 Exertio Framework <= 1.3.1 - Unauthenticated Arbitrary User Password Update — Exertio Framework 8.1 High2025-03-01
CVE-2024-12824 Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change — Nokri – Job Board WordPress Theme 9.8 Critical2025-03-01
CVE-2024-12860 CarSpot – Dealership Wordpress Classified Theme <= 2.4.3 - Unauthenticated Arbitrary Password Reset/Account Takeover — CarSpot – Dealership Wordpress Classified Theme 9.8 Critical2025-02-18
CVE-2025-1107 Unverified password change vulnerability in Janto — Janto 9.9 Critical2025-02-07
CVE-2024-45647 IBM Security Verify Access unverified password change — Security Verify Access 5.6 Medium2025-01-20
CVE-2024-13375 Adifier System <= 3.1.7 - Unauthenticated Arbitrary Password Reset — Adifier System 9.8 Critical2025-01-18
CVE-2024-28143 Insecure Password Change Function — Scan2Net 9.8 -2024-12-12
CVE-2024-51493 API key access in settings without reauthentication in OctoPrint — OctoPrint 5.3 Medium2024-11-05
CVE-2024-33699 LevelOne WBR-6012 安全漏洞 — WBR-6012 9.9 Critical2024-10-30
CVE-2024-8794 BA Book Everything <= 1.6.20 - Unauthenticated Arbitrary User Password Reset — BA Book Everything 5.3 Medium2024-09-24
CVE-2024-21757 Fortinet FortiManager和Fortinet FortiAnalyzer 安全漏洞 — FortiManager 5.5 Medium2024-08-13
CVE-2024-37998 Siemens CPCI85 Central Processing和SICORE Base system 安全漏洞 — CPCI85 Central Processing/Communication 9.8 Critical2024-07-22
CVE-2024-20419 Cisco Smart Software Manager On-Prem 安全漏洞 — Cisco Smart Software Manager On-Prem 10.0 Critical2024-07-17
CVE-2024-2213 Improper Authentication in zenml-io/zenml — zenml-io/zenml 8.8AIHighAI2024-06-06
CVE-2023-4465 Poly VVX 601 Configuration File Import unverified password change — Trio 8300 2.7 Low2023-12-29
CVE-2023-2449 UserPro <= 5.1.1 - Insecure Password Reset Mechanism — UserPro - Community and User Profile WordPress Plugin 9.8 Critical2023-11-22
CVE-2023-4214 AppPresser <= 4.2.5 - Insecure Password Reset Mechanism — AppPresser – Mobile App Framework 8.1 High2023-11-18
CVE-2023-5844 Unverified Password Change in pimcore/admin-ui-classic-bundle — pimcore/admin-ui-classic-bundle 8.8 -2023-10-30
CVE-2023-4915 WP User Control <= 1.5.3 - Insecure Password Reset Mechanism — WP User Control 5.3 Medium2023-09-13
CVE-2023-4381 Unverified Password Change in instantsoft/icms2 — instantsoft/icms2 9.8 -2023-08-16
CVE-2023-3069 Unverified Password Change in tsolucio/corebos — tsolucio/corebos 9.8 -2023-06-02
CVE-2023-2297 Profile Builder – User Profile & User Registration Forms <= 3.9.0 - Insecure Password Reset Mechanism — User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor 9.8 Critical2023-04-26
CVE-2023-25931 Medtronic Micro Clinician & InterStim X Clinician App Password Reset Issue — InsterStim Applications 6.4 Medium2023-03-01
CVE-2022-3152 Unverified Password Change in phpfusion/phpfusion — phpfusion/phpfusion 8.1 -2022-09-07
CVE-2022-2930 Unverified Password Change in octoprint/octoprint — octoprint/octoprint 7.1 -2022-08-22

Vulnerabilities classified as CWE-620 (未经验证的口令修改) represent 68 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.