CVE-2007-1964

Name of the Vulnerable Software and Affected Versions MyBB (affected versions not specified)

Description The issue allows remote authenticated users to change the password of any account by exploiting a flaw in the debug mode of MyBB. Specifically, when debug mode is available, providing the account's registered e-mail address in a debug request for a do lostpw action prints the change password verification code in the debug output. This enables attackers to obtain the necessary information to reset passwords without authorization.

Recommendations For MyBB, consider disabling the debug mode to prevent exploitation of this issue. As a temporary workaround, restrict access to the debug functionality to minimize the risk of unauthorized password changes. Avoid using the debug mode for do lostpw actions until a fix is available.