Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-620 (未经验证的口令修改) — Vulnerability Class 68

68 vulnerabilities classified as CWE-620 (未经验证的口令修改). AI Chinese analysis included.

CWE-620 represents a critical authentication weakness where software allows password modifications without verifying the user’s current identity. This flaw typically arises when applications accept new credentials based solely on a username or session token, bypassing the requirement for the original password or multi-factor authentication. Attackers exploit this vulnerability by intercepting valid user sessions or manipulating requests to reset passwords for other accounts, thereby gaining unauthorized access to sensitive data and elevated privileges. To mitigate this risk, developers must enforce strict verification protocols during password changes. This includes requiring the current password, implementing time-limited reset tokens sent via secure channels, and validating session integrity. By ensuring that only the legitimate account holder can authorize changes, organizations effectively prevent account takeover attacks and maintain robust user authentication standards.

MITRE CWE Description
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
Mitigations (2)
Architecture and DesignWhen prompting for a password change, force the user to provide the original password in addition to the new password.
Architecture and DesignDo not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
Examples (1)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2022-21935 Metasys password guessing — Metasys ADS/ADX/OAS server 7.5 High2022-06-15
CVE-2022-21934 Metasys Unverified Password Change — Metasys ADS/ADX/OAS server 8.0 High2022-05-06
CVE-2021-34786 Cisco BroadWorks CommPilot Application Software Vulnerabilities — Cisco BroadWorks 6.5 Medium2021-09-09
CVE-2021-34785 Cisco BroadWorks CommPilot Application Software Vulnerabilities — Cisco BroadWorks 6.5 Medium2021-09-09
CVE-2021-22773 EVlink City、EVlink Parking、EVlink Smart Wallbox 安全漏洞 — EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) 6.5 -2021-07-21
CVE-2020-7378 CRIXP OpenCRX Unverified Password Change — OpenCRX 9.1 Critical2020-11-24
CVE-2018-8916 Synology DiskStation Manager 安全漏洞 — DiskStation Manager (DSM) 8.1 -2018-06-08
CVE-2017-14005 ProMinent MultiFLEX M10a Controller Web界面安全漏洞 — ProMinent MultiFLEX M10a Controller 8.8 -2017-10-17

Vulnerabilities classified as CWE-620 (未经验证的口令修改) represent 68 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.