Unrated severityNVD Advisory· Published Jun 29, 2007· Updated Apr 23, 2026

CVE-2007-3494

Description

Papoo CMS 3.6, and possibly earlier, does not verify user privileges when accessing the backend administration plugins, which allows remote authenticated users to (1) read the entire database by accessing the database backup plugin via a devtools/templates/newdump_backend.html argument in the template parameter to interna/plugin.php, (2) create plugins, (3) remove plugins, (4) enable debug mode, and have other unspecified impact.

Affected products

Papoo/Papoo
cpe:2.3:a:papoo:papoo:*:*:*:*:*:*:*:*
Range: <=3.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.papoo.de/index/menuid/204/reporeid/215nvdPatch
lists.grok.org.uk/pipermail/full-disclosure/2007-June/064171.htmlnvd
osvdb.org/37542nvd
securityreason.com/securityalert/2853nvd
www.securityfocus.com/archive/1/472213/100/0/threadednvd
www.securityfocus.com/bid/24634nvd
exchange.xforce.ibmcloud.com/vulnerabilities/35032nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000