PHProjekt before 2.4a allows remote attackers to perform actions as other PHProjekt users by modifying the ID number in an HTTP request to PHProjekt CGI programs.
https://exchange.xforce.ibmcloud.com/vulnerabilities/7035
http://www.securityfocus.com/bid/3239