Unverified Password Change in instantsoft/icms2
Description
Unverified Password Change in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insufficient validation in icms2 prior to 2.16.1-git allows setting the new password identical to the old one, enabling unverified password changes.
Vulnerability
In icms2 versions prior to 2.16.1-git, the password change form lacked a validation rule to ensure the new password differs from the current password. This affects the password change functionality in the user profile. [1]
Exploitation
An authenticated user could exploit this by submitting a password change request where the new password matches the existing one. No additional privileges or interaction beyond standard authentication are required. [1]
Impact
Successful exploitation allows an attacker to perform an unverified password change, potentially undermining password change policies. This could facilitate maintaining access after a compromise or bypassing password rotation requirements. The CIA impact is low, primarily affecting integrity of password management. [1]
Mitigation
The issue is fixed in commit 58f8b9941b53b606a1b15a4364005cd2b1965507, which was included in version 2.16.1-git. Users should upgrade to this version or later. No workaround is available. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < 2.16.1-git
- instantsoft/instantsoft/icms2v5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.