PHP-Nuke < 4.4 - Unauthenticated Banner URL Modification via Direct Change Operation
banners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly calling the Change operation, which does not require authentication.