MFScripts YetiShare v3.5.2 through v4.5.4 might allow an malicious user to reset a password by using a leaked hash (the hash never expires until used).
mfscripts yetishare