When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
View on MITREThis could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
When prompting for a password change, force the user to provide the original password in addition to the new password.
No detection method information available for this CWE.
This code changes a user's password.
While the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account.
Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.
View DetailsWeb application password change utility doesn't check the original password.
View DetailsCWE-620: Unverified Password Change is a Common Weakness Enumeration (CWE) entry maintained by MITRE. When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
If exploited, CWE-620 (Unverified Password Change) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism and Gain Privileges or Assume Identity.
Recommended mitigations for CWE-620 include: When prompting for a password change, force the user to provide the original password in addition to the new password.
CWE-620 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-620, including CVE-2007-0681 and CVE-2000-0944. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-620 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.