CWE-620
AllowedUnverified Password Change
Abstraction: Base · Status: Draft
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
157 vulnerabilities reference this CWE, most recent first.
GHSA-7P24-RQ5Q-3RRV
Vulnerability from github – Published: 2025-10-16 15:30 – Updated: 2026-02-03 00:30Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password.
{
"affected": [],
"aliases": [
"CVE-2025-22381"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T15:15:32Z",
"severity": "HIGH"
},
"details": "Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user\u0027s password.",
"id": "GHSA-7p24-rq5q-3rrv",
"modified": "2026-02-03T00:30:16Z",
"published": "2025-10-16T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22381"
},
{
"type": "WEB",
"url": "https://github.com/TID-Lab/aggie/tree/a9d5becaff3ea90720ea7213c80825e253b8a730"
},
{
"type": "WEB",
"url": "https://github.com/bugdotexe/Vulnerability-Research/tree/main/CVE-2025-22381"
},
{
"type": "WEB",
"url": "https://github.com/pescada-dev/CVE-2025-22381"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-83JV-37P5-GC2R
Vulnerability from github – Published: 2026-03-30 12:32 – Updated: 2026-03-30 12:32Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Oracle connection configuration to trigger an application crash.
{
"affected": [],
"aliases": [
"CVE-2019-25653"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T12:16:17Z",
"severity": "MODERATE"
},
"details": "Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Oracle connection configuration to trigger an application crash.",
"id": "GHSA-83jv-37p5-gc2r",
"modified": "2026-03-30T12:32:27Z",
"published": "2026-03-30T12:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25653"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46383"
},
{
"type": "WEB",
"url": "https://www.navicat.com/es"
},
{
"type": "WEB",
"url": "https://www.navicat.com/es/download/navicat-for-oracle"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/navicat-for-oracle-password-field-denial-of-service"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8477-VWG3-3X2M
Vulnerability from github – Published: 2025-07-09 06:30 – Updated: 2025-07-09 06:30The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2025-4606"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-09T04:16:09Z",
"severity": "CRITICAL"
},
"details": "The Sala - Startup \u0026 SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user\u0027s identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
"id": "GHSA-8477-vwg3-3x2m",
"modified": "2025-07-09T06:30:25Z",
"published": "2025-07-09T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4606"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/sala-startup-saas-wordpress-theme/33843955?s_rank=4"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa385a1f-1623-4f0a-bb2f-d4564b8f91bf?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8C83-CVGQ-PP7W
Vulnerability from github – Published: 2026-02-24 21:31 – Updated: 2026-02-26 03:31EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2026-24443"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-24T21:16:29Z",
"severity": "HIGH"
},
"details": "EventSentry versions prior to 6.0.1.20\u00a0contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.",
"id": "GHSA-8c83-cvgq-pp7w",
"modified": "2026-02-26T03:31:17Z",
"published": "2026-02-24T21:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24443"
},
{
"type": "WEB",
"url": "https://www.eventsentry.com/downloads/version-history"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8J63-78XQ-X2Q3
Vulnerability from github – Published: 2025-12-04 21:31 – Updated: 2025-12-08 18:30Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to set the Administrator password and username as blank values, allowing attackers to bypass authentication.
{
"affected": [],
"aliases": [
"CVE-2025-63362"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-04T19:16:04Z",
"severity": "CRITICAL"
},
"details": "Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to set the Administrator password and username as blank values, allowing attackers to bypass authentication.",
"id": "GHSA-8j63-78xq-x2q3",
"modified": "2025-12-08T18:30:25Z",
"published": "2025-12-04T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63362"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://otsecverse.github.io/OTSecVerse/posts/Post-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8PG2-F5FH-MJ6F
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08A CWE-620: Unverified Password Change vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker connected to the charging station web server to modify the password of a user.
{
"affected": [],
"aliases": [
"CVE-2021-22773"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-21T15:15:00Z",
"severity": "MODERATE"
},
"details": "A CWE-620: Unverified Password Change vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker connected to the charging station web server to modify the password of a user.",
"id": "GHSA-8pg2-f5fh-mj6f",
"modified": "2022-05-24T19:08:47Z",
"published": "2022-05-24T19:08:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22773"
},
{
"type": "WEB",
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8VGV-FFV5-269J
Vulnerability from github – Published: 2026-03-26 21:31 – Updated: 2026-03-28 03:31An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack.
{
"affected": [],
"aliases": [
"CVE-2026-30458"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T19:17:00Z",
"severity": "CRITICAL"
},
"details": "An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users\u0027 password reset tokens via a mail splitting attack.",
"id": "GHSA-8vgv-ffv5-269j",
"modified": "2026-03-28T03:31:25Z",
"published": "2026-03-26T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30458"
},
{
"type": "WEB",
"url": "https://github.com/daylightstudio/FUEL-CMS"
},
{
"type": "WEB",
"url": "https://pentest-tools.com/PTT-2025-025-Account-Takeover-via-Email-Array.pdf"
},
{
"type": "WEB",
"url": "http://daylight.com"
},
{
"type": "WEB",
"url": "http://fuelcms.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-93CQ-WG48-929M
Vulnerability from github – Published: 2025-03-01 09:30 – Updated: 2025-03-01 09:30The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2024-12824"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-01T07:15:09Z",
"severity": "CRITICAL"
},
"details": "The Nokri \u2013 Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s password, including administrators, and leverage that to gain access to their account.",
"id": "GHSA-93cq-wg48-929m",
"modified": "2025-03-01T09:30:28Z",
"published": "2025-03-01T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12824"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/nokri-job-board-wordpress-theme/22677241"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60a7cce0-637f-49bd-aa4a-fd7023d99a64?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-93X3-M7PW-PPQM
Vulnerability from github – Published: 2024-05-13 14:57 – Updated: 2024-05-14 20:01Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending.
The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password.
A brute-force attack calling account_update.php with increasing user IDs is possible.
Impact
A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to.
Patches
92d11a01b195a1b6717a2f205218089158ea6d00
Workarounds
Mitigate the risk by reducing the verification token's validity (change the value of the TOKEN_EXPIRY_AUTHENTICATED constant in constants_inc.php).
References
https://mantisbt.org/bugs/view.php?id=34433
Credits
Alexander Christian, from Vantage Point Security Indonesia
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.26.1"
},
"package": {
"ecosystem": "Packagist",
"name": "mantisbt/mantisbt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.26.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34077"
],
"database_specific": {
"cwe_ids": [
"CWE-305",
"CWE-620"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-13T14:57:13Z",
"nvd_published_at": "2024-05-14T15:38:28Z",
"severity": "HIGH"
},
"details": "Insufficient access control in the registration and password reset process allows an attacker to reset another user\u0027s password and takeover their account, if the victim has an incomplete request pending.\n\nThe exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password.\n\nA brute-force attack calling account_update.php with increasing user IDs is possible. \n \n### Impact\n\nA successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to.\n\n### Patches\n\n92d11a01b195a1b6717a2f205218089158ea6d00\n\n### Workarounds\n\nMitigate the risk by reducing the verification token\u0027s validity (change the value of the `TOKEN_EXPIRY_AUTHENTICATED` constant in *constants_inc.php*).\n\n### References\n\nhttps://mantisbt.org/bugs/view.php?id=34433\n\n### Credits\n\nAlexander Christian, from Vantage Point Security Indonesia\n",
"id": "GHSA-93x3-m7pw-ppqm",
"modified": "2024-05-14T20:01:07Z",
"published": "2024-05-13T14:57:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-93x3-m7pw-ppqm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34077"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/commit/92d11a01b195a1b6717a2f205218089158ea6d00"
},
{
"type": "PACKAGE",
"url": "https://github.com/mantisbt/mantisbt"
},
{
"type": "WEB",
"url": "https://mantisbt.org/bugs/view.php?id=34433"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Mantis Bug Tracker (MantisBT) allows user account takeover in the signup/reset password process"
}
GHSA-94R8-MJP9-M9V4
Vulnerability from github – Published: 2025-05-09 09:33 – Updated: 2025-05-09 09:33The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known.
{
"affected": [],
"aliases": [
"CVE-2025-2253"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-09T07:16:04Z",
"severity": "CRITICAL"
},
"details": "The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user\u0027s passwords, including administrators if the users email is known.",
"id": "GHSA-94r8-mjp9-m9v4",
"modified": "2025-05-09T09:33:18Z",
"published": "2025-05-09T09:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2253"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/auto-stars-car-dealership-listings-wp-theme/11560490"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed0ea4a-9cbf-4033-a31f-6cb954e8ce01?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When prompting for a password change, force the user to provide the original password in addition to the new password.
Mitigation
Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
No CAPEC attack patterns related to this CWE.