Zikula before 1.2.3 does not use the authid protection mechanism for (1) the lostpassword form and (2) mailpasswd processing, which makes it easier for remote attackers to generate a flood of password requests and possibly conduct cross-site request forgery (CSRF) attacks via multiple form submissions.
References
Configurations
Configuration 1 (hide)
|
Information
Published : 2011-02-08 14:00
Updated : 2011-02-13 21:00
NVD link : CVE-2010-4729
Mitre link : CVE-2010-4729
JSON object : View
CWE
CWE-352
Cross-Site Request Forgery (CSRF)
Products Affected
zikula
- zikula_application_framework