CVE-2007-5109

Name of the Vulnerable Software and Affected Versions FlatNuke versions 2.6 through 3

Description A cross-site request forgery (CSRF) issue allows remote attackers to change the password and privilege level of arbitrary accounts. This is achieved via the user parameter and modified regpass and level parameters in a none Login action.

Recommendations For FlatNuke versions 2.6 through 3, as a temporary workaround, consider restricting access to the none Login action in index.php to minimize the risk of exploitation. Avoid using the regpass and level parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.