One Click Orgs before 1.2.3 does not require unique e-mail addresses for user accounts, which allows remote authenticated users to cause a denial of service (login disruption) or spoof votes or comments by selecting a conflicting e-mail address.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| One_click_orgs | Oneclickorgs | * | 1.2.2 (including) |
| One_click_orgs | Oneclickorgs | 1.0.0 (including) | 1.0.0 (including) |
| One_click_orgs | Oneclickorgs | 1.0.1 (including) | 1.0.1 (including) |
| One_click_orgs | Oneclickorgs | 1.1.0 (including) | 1.1.0 (including) |
| One_click_orgs | Oneclickorgs | 1.1.1 (including) | 1.1.1 (including) |
| One_click_orgs | Oneclickorgs | 1.2.0 (including) | 1.2.0 (including) |
| One_click_orgs | Oneclickorgs | 1.2.1 (including) | 1.2.1 (including) |
References
- http://dmcdonald.net/?page_id=43
- https://groups.google.com/group/oneclickorgs-devspace/msg/26c40a4cc9e127d2?hl=en\u0026dmode=source\u0026output=gplain
- http://dmcdonald.net/?page_id=43
- https://groups.google.com/group/oneclickorgs-devspace/msg/26c40a4cc9e127d2?hl=en\u0026dmode=source\u0026output=gplain