DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php.
Metrics
Affected Vendors & Products
References
History
No history.

Status: PUBLISHED
Assigner: mitre
Published: 2007-04-11T22:00:00
Updated: 2024-08-07T12:50:35.051Z
Reserved: 2007-03-08T00:00:00
Link: CVE-2007-1364

No data.

Status : Modified
Published: 2007-04-11T22:19:00.000
Modified: 2024-11-21T00:28:07.757
Link: CVE-2007-1364

No data.