CWE-620

Overview
  • CWE ID
  • 620
  • CWE Name
  • Unverified Password Change
  • CWE Abstraction
  • Base
  • CWE structure
  • Simple
  • CWE Status
  • Draft
Description
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Extended Description
This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Related CWEs
CWE ID View ID Nature Ordinal
1390 1000 ChildOf Primary