Old password is never checked before setting new one.
vulners.com/securityvulns/securityvulns:doc:7579