DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-04-11T22:00:00

Updated: 2024-08-07T12:50:35.051Z

Reserved: 2007-03-08T00:00:00

Link: CVE-2007-1364

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2007-04-11T22:19:00.000

Modified: 2024-11-21T00:28:07.757

Link: CVE-2007-1364

cve-icon Redhat

No data.