Zikula before 1.2.3 does not use the authid protection mechanism for (1) the lostpassword form and (2) mailpasswd processing, which makes it easier for remote attackers to generate a flood of password requests and possibly conduct cross-site request forgery (CSRF) attacks via multiple form submissions.
CPE | Name | Operator | Version |
---|---|---|---|
zikula_application_framework | eq | 1.1.2 | |
zikula_application_framework | le | 1.2.2 | |
zikula_application_framework | eq | 1.2.1 |