Description

The activation resend function in the Profiles module in XOOPS before 2.4.1 sends activation codes in response to arbitrary activation requests, which allows remote attackers to bypass administrative approval via a request involving activate.php.

Remediation

References

CVE-2009-4851

Related Vulnerabilities

Rukovoditel Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-43169)

Apache HTTP Server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2003-1581)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-4283)

Oracle Database Server CVE-2017-10120 Vulnerability (CVE-2017-10120)

Plone CMS Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-4193)

Severity

Medium

Classification

CVE-2009-4851 CWE-264

Tags

Missing Update Known Vulnerabilities