A low-privileged user can bypass account credentials without confirming the users current authentication state, which may lead to unauthorized privilege escalation.
Weakness
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.