New password can be set as same as the old password in instantsoft/icms2


Reported on

Aug 14th 2023


The web application allows us to set new password as the old one at Password change function.


1/ Access to the demo website and go to My profile.

2/ Choose Edit profile, at the Security tab, change the password with the new password and the old password are the same.

3/ Logout and login again to verify that it's successful.

Proof of Concept

Link video PoC:


If users are required to change their password, but they can reuse an old password, the effectiveness of a good password policy is greatly reduced

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago
a month ago


CWE-620 does not fit the described problem. But in general you are right, you can't let them change the password to what it was before. I'm not sure it can be considered a security issue.

a month ago


Hi @Fuze, I think it is also a security issue. If following OWASP checklist, it will be WSTG-ATHN-07 Testing for Weak Password Policy. Whatever you decide, I respect it. Thank you.

Fuze validated this vulnerability a month ago
Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Fuze marked this as fixed in 2.16.1-git with commit 58f8b9 a month ago
Fuze has been awarded the fix bounty
This vulnerability has been assigned a CVE
Fuze published this vulnerability a month ago
Fuze gave praise a month ago
Thank you.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
a month ago


Thank you too

to join this conversation