The new_password page in PBBoard 2.1.4 allows remote attackers to change the password of arbitrary user accounts via the member_id and new_password parameters to index.php.
https://exchange.xforce.ibmcloud.com/vulnerabilities/77506
http://www.pbboard.com/forums/t10353.html
http://www.pbboard.com/forums/t10352.html