CVE-2009-4851

Name of the Vulnerable Software and Affected Versions XOOPS versions prior to 2.4.1

Description The issue concerns the activation resend function in the Profiles module. It allows remote attackers to bypass administrative approval by sending arbitrary activation requests, which results in the system sending activation codes. This is possible due to a flaw in the activate.php endpoint.

Recommendations For versions prior to 2.4.1, update to version 2.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the activate.php endpoint to minimize the risk of exploitation.