CVE Vulnerability

CVE-2007-1364

DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php.

6.4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

References
Link Resource
https://www.cynops.de/advisories/CVE-2007-1363.txt Vendor Advisory
http://www.dropafew.com/sphpblog/comments.php?y=07&m=04&entry=entry070403-224437 Patch
http://www.securityfocus.com/bid/23400 Exploit
http://secunia.com/advisories/24861 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/33561
Configurations

Configuration 1

cpe:2.3:a:dropafew:dropafew:*:*:*:*:*:*:*:*
Information

Published : 2007-04-11 10:19

Updated : 2017-07-29 01:30

NVD link : CVE-2007-1364

Mitre link : CVE-2007-1364

Products Affected
No products.
CWE
NVD-CWE-Other