关键漏洞信息 Title: Authenticated user can change their account password without providing the current password via inc/mod/pages.php Vulnerability Summary: An authentication bypass in the password change mechanism (CWE-620) exists in vichan. An authenticated moderator can change their own password without supplying the current password. The application relies solely on an active session and permission checks, without re-authentication or password verification. If an attacker gains access to a valid moderator session, they can take over the account by changing the password. Technical Root Cause: The password change logic does not require the user to provide their current password. No re-authentication of the session is performed. A direct password update is performed based solely on session identity. The user is immediately logged in with the new password, cementing account takeover. Impact: Full account takeover of moderator accounts. Persistence after session compromise. Loss of account integrity and trust. Potential privilege abuse depending on moderator role. Recommended Remediation: Require current password verification before allowing password change. Implement CSRF protection on password change endpoint. Enforce password confirmation. Require re-authentication for sensitive actions. Invalidate all existing sessions after password change. References: CWE-620 - Unverified Password Change: CWE-620 OWASP Authentication Cheat Sheet: Cheatsheet OWASP Session Management: Cheat Sheet Project Repository: vichan-devel CVSS v3.1 (Suggested): Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Score: 8.8 (High)