Description

Zikula before 1.2.3 does not use the authid protection mechanism for (1) the lostpassword form and (2) mailpasswd processing, which makes it easier for remote attackers to generate a flood of password requests and possibly conduct cross-site request forgery (CSRF) attacks via multiple form submissions.

Remediation

References

CVE-2010-4729

Related Vulnerabilities

TYPO3 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-1607)

WordPress Plugin Lingotek Translation Multiple Cross-Site Scripting Vulnerabilities (1.1.8)

Ruby on Rails Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2011-1497)

Apache Tomcat Other Vulnerability (CVE-2007-3383)

Apache Tomcat Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2002-2272)

Severity

Medium

Classification

CVE-2010-4729 CWE-352

Tags

Missing Update Known Vulnerabilities