CVE-2002-1846

Name of the Vulnerable Software and Affected Versions Yet Another Bulletin Board (YaBB) versions 1.40 through 1.41

Description The issue allows remote attackers to modify passwords without submitting the correct password. This can be achieved by stealing the cookie of another user, modifying the expiretime setting, and submitting the change in a "profile2" action to "index.php".

Recommendations For versions 1.40 and 1.41, consider temporarily restricting access to the password change functionality until a proper fix is implemented. As a mitigation measure, restrict the ability to submit changes to the "profile2" action in "index.php" to minimize the risk of exploitation.