Zikula prior to 1.2.3 does not use the authid protection mechanism for (1) the lostpassword form and (2) mailpasswd processing, which makes it easier for remote malicious users to generate a flood of password requests and possibly conduct cross-site request forgery (CSRF) attacks via multiple form submissions.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
zikula zikula application framework |
||
zikula zikula application framework 1.1.2 |
||
zikula zikula application framework 1.2.1 |