First of all I'd like to thank all the developers of yabbse
fo creating this reliable, fast, easy-to-use, and oveall
Version: yabbse 151
Problem description: When a user changes their email
address, a new, randomly generated password is sent to
the new address. This works all right. BUT when the
user changes the password at the same time, the
password is not generated, but the new email address
and the newly given password are valid.
Correct functionig: would be in this case, that a new
password is generated and sent to the new email
Risk: medium security. When exploited, the whole email
address validation is ignored.
Log in to post a comment.