CVE-2007-1364

DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php.

CVSS v2.0 6.4 MEDIUM

6.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/24861	Vendor Advisory
http://www.dropafew.com/sphpblog/comments.php?y=07&m=04&entry=entry070403-224437	Patch
http://www.securityfocus.com/bid/23400	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/33561
https://www.cynops.de/advisories/CVE-2007-1363.txt	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dropafew:dropafew:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2007-04-11 22:19

Updated : 2024-02-28 11:01

NVD link : CVE-2007-1364

Mitre link : CVE-2007-1364

CVE.ORG link : CVE-2007-1364

JSON object : View

Products Affected

dropafew

dropafew

CWE

NVD-CWE-Other

{"id": "CVE-2007-1364", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2007-04-11T22:19:00.000", "references": [{"url": "http://secunia.com/advisories/24861", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.dropafew.com/sphpblog/comments.php?y=07&m=04&entry=entry070403-224437", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/23400", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33561", "source": "cve@mitre.org"}, {"url": "https://www.cynops.de/advisories/CVE-2007-1363.txt", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php."}, {"lang": "es", "value": "DropAFew versiones anteriores a 0.2.1, no requiere autorizaci\u00f3n para ciertas acciones con privilegios, lo que permite a atacantes remotos (1) visualizar la informaci\u00f3n cal\u00f3rica registrada de los usuarios arbitrarios por medio del par\u00e1metro id en el archivo editlogcal.php, (2) a\u00f1adir enlaces arbitrarios por medio del archivo links.php, o (3) crear usuarios arbitrarios por medio del archivo newaccount2.php."}], "lastModified": "2017-07-29T01:30:45.597", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dropafew:dropafew:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "64C4B696-C5AF-4C47-91BB-B6EE202D6D89", "versionEndIncluding": "0.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}