PHP-Nuke contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when PHP-Nuke fails to validate input in its functions, allowing a wide variety of system manipulation. One such example, as demonstrated in the Security Mail List Post, is that a malicious user can obtain the user id (UID) of an authorized user by brute force, and then call user.php with the saveuser() function requesting that the user's password be sent to an arbitrary email address. This flaw may lead to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.