CWE-620
32 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-620page 1 of 1
- CVE-2018-8916MEDIUMCVSS 6.32018-06-08
Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.
- CVE-2020-7378CRITICALCVSS 9.1EG 9.12020-11-24
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standa…
- CVE-2021-22773MEDIUMCVSS 6.5EG 6.52021-07-21
A CWE-620: Unverified Password Change vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all …
- CVE-2021-34785MEDIUMCVSS 6.5EG 7.22021-09-09
Multiple vulnerabilities in Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to delete arbitrary user accounts or gain elevated privileges on an affected system.
- CVE-2021-34786MEDIUMCVSS 6.5EG 6.52021-09-09
Multiple vulnerabilities in Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to delete arbitrary user accounts or gain elevated privileges on an affected system.
- CVE-2022-21934HIGHCVSS 8.0EG 8.82022-05-06
Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.
- CVE-2022-21935HIGHCVSS 7.5EG 7.52022-06-15
A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change.
- CVE-2022-2930HIGHCVSS 7.8EG 7.82022-08-22
Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.
- CVE-2022-3152HIGHCVSS 8.8EG 8.82022-09-07
Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20.
- CVE-2023-2297CRITICALCVSS 9.8EG 9.82023-04-27
The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality,…
- CVE-2023-2449CRITICALCVSS 9.8EG 9.82023-11-22
The UserPro plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 5.1.1. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset …
- CVE-2023-25931MEDIUMCVSS 6.4EG 6.82023-03-01
Medtronic identified that the Pelvic Health clinician apps, which are installed on the Smart Programmer mobile device, have a password vulnerability that requires a security update to fix. Not updating could potentially result in unauthori…
- CVE-2023-3069CRITICALCVSS 9.8EG 7.62023-06-02
Unverified Password Change in GitHub repository tsolucio/corebos prior to 8.
- CVE-2023-4214HIGHCVSS 8.1EG 8.12023-11-18
The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or…
- CVE-2023-4381MEDIUMCVSS 4.3EG 4.32023-08-16
Unverified Password Change in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
- CVE-2023-4465LOWCVSS 2.7EG 2.72023-12-29
A vulnerability, which was classified as problematic, was found in Poly Trio 8300, Trio 8500, Trio 8800, Trio C60, CCX 350, CCX 400, CCX 500, CCX 505, CCX 600, CCX 700, EDGE E100, EDGE E220, EDGE E300, EDGE E320, EDGE E350, EDGE E400, EDGE…
- CVE-2023-4915MEDIUMCVSS 5.3EG 5.32023-09-13
The WP User Control plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.5.3. This is due to the plugin using native password reset functionality, with insufficient validation on the passwor…
- CVE-2023-5844HIGHCVSS 7.2EG 7.22023-10-30
Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.
- CVE-2024-20419CRITICALCVSS 10.0EG 10.02024-07-17
A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is…
- CVE-2024-21757MEDIUMCVSS 6.1EG 6.12024-08-13
A unverified password change in Fortinet FortiManager versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, as well as Fortinet FortiAnalyzer versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.…
- CVE-2024-2213LOWCVSS 3.3EG 3.32024-06-06
An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current…
- CVE-2024-23637MEDIUMCVSS 4.2EG 4.22024-01-31
OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repea…
- CVE-2024-26520CRITICALCVSS 9.8EG 9.82024-07-26
An issue in Hangzhou Xiongwei Technology Development Co., Ltd. Restaurant Digital Comprehensive Management platform v1 allows an attacker to bypass authentication and perform arbitrary password resets.
- CVE-2024-27715HIGHCVSS 8.2EG 8.22024-07-05
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via a crafted request to the Password Change mechanism.
- CVE-2024-28143HIGHCVSS 8.4EG 8.42024-12-12
The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+-…
- CVE-2024-33699CRITICALCVSS 9.9EG 9.92024-10-30
The LevelOne WBR-6012 router's web application has a vulnerability in its firmware version R0.40e6, allowing attackers to change the administrator password and gain higher privileges without the current password.
- CVE-2024-34077HIGHCVSS 7.3EG 7.32024-05-14
MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an …
- CVE-2024-37998CRITICALCVSS 9.8EG 9.82024-07-22
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.40), SICORE Base system (All versions < V1.4.0). The password of administrative accounts of the affected applications can be reset without re…
- CVE-2024-51493MEDIUMCVSS 5.3EG 5.32024-11-05
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's Octo…
- CVE-2024-8794MEDIUMCVSS 5.3EG 5.32024-09-24
The BA Book Everything plugin for WordPress is vulnerable to arbitrary password reset in all versions up to, and including, 1.6.20. This is due to the reset_user_password() function not verifying a user's identity prior to setting a passwo…
- CVE-2026-8327MEDIUMCVSS 4.3EG 5.32026-05-21
Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting r…
- CVE-2026-9249LOWCVSS 3.1EG 3.12026-05-26
Unverified password change in Devolutions Server allows an attacker to change a user's password... Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a cr…
Map vulnerabilities like CWE-620 to your infrastructure
EchelonGraph correlates every CVE — across CWE-620 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →