CWE-620: Unverified Password Change
low-riskWhen setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Abstraction: Base
Common Consequences
Access Control
→
Bypass Protection Mechanism
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2024-20419 | 10.0 | 91.4% | — |
| CVE-2024-12824 | 9.8 | 42.4% | — |
| CVE-2025-4322 | 9.8 | 31.1% | — |
| CVE-2024-13375 | 9.8 | 10.6% | — |
| CVE-2020-7378 | 9.1 | 8.7% | — |
| CVE-2024-33699 | 9.9 | 7.2% | — |
| CVE-2025-4903 | 5.3 | 1.7% | — |
| CVE-2025-4903 | 5.3 | 1.7% | — |
| CVE-2025-6097 | 5.3 | 1.0% | — |
| CVE-2025-3603 | 9.8 | 0.7% | — |
4
/ 100
low-risk
Active Threat
4/50 · Minimal
Exploit Availability
0/50 · Minimal