Vulnerabilities > Zikula > Zikula Application Framework > 1.2.1
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2011-02-08 | CVE-2011-0911 | Cross-Site Scripting vulnerability in Zikula Application Framework Cross-site scripting (XSS) vulnerability in the Users module in Zikula before 1.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2011-02-08 | CVE-2011-0535 | Cross-Site Request Forgery (CSRF) vulnerability in Zikula Application Framework Cross-site request forgery (CSRF) vulnerability in the Users module in Zikula before 1.2.5 allows remote attackers to hijack the authentication of administrators for requests that change account privileges via an edit access_permissions action to index.php. | 6.8 |
| 2011-02-08 | CVE-2010-4729 | Cross-Site Request Forgery (CSRF) vulnerability in Zikula Application Framework 1.1.2/1.2.1 Zikula before 1.2.3 does not use the authid protection mechanism for (1) the lostpassword form and (2) mailpasswd processing, which makes it easier for remote attackers to generate a flood of password requests and possibly conduct cross-site request forgery (CSRF) attacks via multiple form submissions. | 6.8 |
| 2011-02-08 | CVE-2010-4728 | Cryptographic Issues vulnerability in Zikula Application Framework Zikula before 1.3.1 uses the rand and srand PHP functions for random number generation, which makes it easier for remote attackers to defeat protection mechanisms based on randomization by predicting a return value, as demonstrated by the authid protection mechanism. | 5.0 |