MaxWebPortal 1.30 allows remote attackers to perform unauthorized actions by modifying hidden form fields, such as the (1) news, (2) lock, or (3) allmem fields in the 'start new topic' HTML page.
https://exchange.xforce.ibmcloud.com/vulnerabilities/12278
http://www.securityfocus.com/bid/7837
http://archives.neohapsis.com/archives/bugtraq/2003-06/0048.html