Vulnerability CVE-2007-1364


Published: 2007-04-11   Modified: 2012-02-12

Description:
DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php.

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.4/10
4.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None
Affected software
Dropafew -> Dropafew 

 References:
http://www.dropafew.com/sphpblog/comments.php?y=07&m=04&entry=entry070403-224437
https://www.cynops.de/advisories/CVE-2007-1363.txt
http://xforce.iss.net/xforce/xfdb/33561
http://www.securityfocus.com/bid/23400
http://secunia.com/advisories/24861

Copyright 2024, cxsecurity.com

 

Back to Top