DropAFew prior to 0.2.1 does not require authorization for certain privileged actions, which allows remote malicious users to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
dropafew dropafew |