Description

The activation resend function in the Profiles module in XOOPS before 2.4.1 sends activation codes in response to arbitrary activation requests, which allows remote attackers to bypass administrative approval via a request involving activate.php.

Remediation

References

CVE-2009-4851

Related Vulnerabilities

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-2367)

WordPress Plugin Secure Copy Content Protection and Content Locking SQL Injection (2.6.6)

phpBB Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2002-2255)

WordPress Plugin Default Facebook Thumbnails Multiple Vulnerabilities (0.4)

Apache HTTP Server Use After Free Vulnerability (CVE-2017-9798)

Severity

Medium

Classification

CVE-2009-4851 CWE-264

Tags

Missing Update Known Vulnerabilities