Description
member.php in MyBB (aka MyBulletinBoard), when debug mode is available, allows remote authenticated users to change the password of any account by providing the account's registered e-mail address in a debug request for a do_lostpw action, which prints the change password verification code in the debug output.
Remediation
References
Related Vulnerabilities
Moodle Weak Password Recovery Mechanism for Forgotten Password Vulnerability (CVE-2016-7038)
SharePoint CVE-2020-1295 Vulnerability (CVE-2020-1295)
Magento CVE-2021-36021 Vulnerability (CVE-2021-36021)
MySQL CVE-2012-0540 Vulnerability (CVE-2012-0540)
WordPress Plugin Redirection HTTP Referrer Header HTML Injection (2.2.9)