CVE-2007-1364

Sažetak

DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php.

Reference

http://secunia.com/advisories/24861
http://www.dropafew.com/sphpblog/comments.php?y=07&m=04&entry=entry070403-224437
http://www.securityfocus.com/bid/23400
https://exchange.xforce.ibmcloud.com/vulnerabilities/33561
https://www.cynops.de/advisories/CVE-2007-1363.txt

CVSS

Base:	6.4
Impact:	4.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:N

Zadnje važnije ažuriranje

29-07-2017 - 01:30

Objavljeno

11-04-2007 - 22:19