Description
DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Alexander Klink · textwebappsphp
https://www.exploit-db.com/exploits/29831
References (5)
Core 5
Core References
Patch x_refsource_confirm
http://www.dropafew.com/sphpblog/comments.php?y=07&m=04&entry=entry070403-224437
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/24861
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/33561
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/23400
Vendor Advisory x_refsource_misc
https://www.cynops.de/advisories/CVE-2007-1363.txt
Scores
EPSS
0.0460
EPSS Percentile
89.3%
Details
Status
published
Products (1)
dropafew/dropafew
< 0.2
Published
Apr 11, 2007
Tracked Since
Feb 18, 2026