Vulnerability in Access_user Class prior to 1.75 allows local users to gain access as other users via the password "new".
access user class access user class 1.6