Description
mail_password.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality.
Remediation
References
Related Vulnerabilities
Oracle Database Server CVE-2020-2512 Vulnerability (CVE-2020-2512)
WordPress 4.7.x Multiple Vulnerabilities (4.7 - 4.7.1)
Magento Insufficient Session Expiration Vulnerability (CVE-2019-8149)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-15110)
Vanilla Forums Improper Input Validation Vulnerability (CVE-2011-0908)