David Cantrell

**Name of the Vulnerable Software and Affected Versions** YaBB version 1 SP 1.3.1 **Description** The issue allows remote attackers to identify valid users due to different error messages being displayed when a user exists or not. This makes it easier to conduct a brute force password guessing attack. **Recommendations** For YaBB version 1 SP 1.3.1, consider modifying the error messages to be generic, avoiding the disclosure of user existence, until a patch is available. As a temporary workaround, restrict access to the user login functionality to minimize the risk of exploitation.