CVE-2007-1364 - DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows re

CVE-2007-1364

Summary

DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php.

References

Vulnerable Configurations

cpe:2.3:a:dropafew:dropafew:*:*:*:*:*:*:*:*
cpe:2.3:a:dropafew:dropafew:*:*:*:*:*:*:*:*

CVSS

Base:	6.4 (as of 29-07-2017 - 01:30)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:N

refmap via4

bid	23400
confirm	http://www.dropafew.com/sphpblog/comments.php?y=07&m=04&entry=entry070403-224437
misc	https://www.cynops.de/advisories/CVE-2007-1363.txt
secunia	24861
xf	dropafew-editlogcal-information-disclosure(33561)

Last major update

29-07-2017 - 01:30

Published

11-04-2007 - 22:19

Last modified

29-07-2017 - 01:30