CVE-2007-4338

critical

Description

index.php in Ryan Haudenschilt Family Connections (FCMS) before 0.9 allows remote attackers to access an arbitrary account by placing the account's name in the value of an fcms_login_id cookie. NOTE: this can be leveraged for code execution via a POST with PHP code in the content parameter.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/35966

http://www.securityfocus.com/archive/1/476293/100/0/threaded

http://www.securityfocus.com/archive/1/476142/100/0/threaded

http://www.attrition.org/pipermail/vim/2007-August/001768.html

http://www.attrition.org/pipermail/vim/2007-August/001762.html

http://sourceforge.net/tracker/index.php?func=detail&aid=1778696&group_id=189733&atid=930513

http://securityreason.com/securityalert/3009

http://secunia.com/advisories/26421

http://osvdb.org/39534

Details

Source: Mitre, NVD

Published: 2007-08-14

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.08925