033 – Password change without identity check

Description

The system allows a user to change their password without requesting the previous one or enforcing another identity verification mechanism.

Impact

Gain total control over a user account.

Recommendation

- Guarantee that the current password is needed when a password change is requested by users. - Use a second authentication mechanism to ensure the password change is performed by the account owner.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

15 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: L
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 238 - Establish safe recovery

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/07