CVE-2018-11554

Name of the Vulnerable Software and Affected Versions YzmCMS versions 3.2 through 3.7

Description The issue concerns the forgotten-password feature in the index.php/member/reset/reset email.html file, which has a Response Discrepancy Information Exposure problem. Additionally, the verification code has an unexpectedly long lifetime, making it easier for remote attackers to hijack accounts via a brute-force approach.

Recommendations For YzmCMS versions 3.2 through 3.7, consider temporarily restricting access to the forgotten-password feature in index.php/member/reset/reset email.html until a patch is available. As a mitigation measure, restrict the number of attempts allowed for password reset to minimize the risk of brute-force attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.