Description
Zikula before 1.2.3 does not use the authid protection mechanism for (1) the lostpassword form and (2) mailpasswd processing, which makes it easier for remote attackers to generate a flood of password requests and possibly conduct cross-site request forgery (CSRF) attacks via multiple form submissions.
Remediation
References
Related Vulnerabilities
WordPress Plugin PitchPrint Arbitrary File Upload (7.1.1)
WordPress 4.9.x Multiple Vulnerabilities (4.9)
WordPress Plugin Uploader 'uploadify.php' Arbitrary File Upload (1.0.4)
WordPress Plugin Easy Cookies Policy Cross-Site Scripting (1.6.2)
WordPress Plugin WP Server Health Stats Malicious Code (1.7.6)