Littleheary

**Name of the Vulnerable Software and Affected Versions** YzmCMS versions 3.2 through 3.7 **Description** The issue concerns the forgotten-password feature in the `index.php/member/reset/reset email.html` file, which has a Response Discrepancy Information Exposure problem. Additionally, the verification code has an unexpectedly long lifetime, making it easier for remote attackers to hijack accounts via a brute-force approach. **Recommendations** For YzmCMS versions 3.2 through 3.7, consider temporarily restricting access to the forgotten-password feature in `index.php/member/reset/reset email.html` until a patch is available. As a mitigation measure, restrict the number of attempts allowed for password reset to minimize the risk of brute-force attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.