Youcode

**Name of the Vulnerable Software and Affected Versions** PHPizabi version 0.848b C1 HFP3 **Description** The issue allows remote authenticated users to obtain sensitive information via a comment containing a macro. This is demonstrated by a "{user.password}" comment in the profile of the admin user, exploiting the AssignUser function in template.class.php, which performs unsafe macro expansions on strings delimited by '{' and '}' characters. **Recommendations** For PHPizabi version 0.848b C1 HFP3, as a temporary workaround, consider restricting access to the AssignUser function in template.class.php until a patch is available. Avoid using the `user.password` variable in comments to minimize the risk of exploitation.