CVE-2010-4729 Information

Description

Zikula before 1.2.3 does not use the authid protection mechanism for (1) the lostpassword form and (2) mailpasswd processing which makes it easier for remote attackers to generate a flood of password requests and possibly conduct cross-site request forgery (CSRF) attacks via multiple form submissions.

Reference

http://code.zikula.org/core/ticket/1979 http://code.zikula.org/core12/browser/tags/Zikula-1.2.5/src/docs/CHANGELOG