The server fails to properly validate the user session during a password change request. A low-privileged "support" user (often a default diagnostic account) can intercept a password change request and simply modify the username parameter to admin .