CWE-620 - Unverified Password Change

Description

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user. The weakness is introduced during Architecture and Design, Implementation stages.

Latest vulnerabilities for CWE-620

Privilege escalation in Cisco Expressway Series and TelePresence Video Communication Server 2023-06-08
Medium Yes

Unverified password change in FortiADC 2022-08-02
Low Yes

Multiple vulnerabilities in Johnson Controls Metasys ADS/ADX/OAS Servers 2022-04-19
High Yes

Multiple vulnerabilities in LenovoEMC NAS Web GUI 2018-09-29
Medium Yes

Multiple vulnerabilities in ProMinent MultiFLEX M10a Controller 2017-10-13
Low No

References

Description of CWE-620 on Mitre website