Improper Authorization in ThinkSAAS v2.7 allows remote attackers to modify the description of any user’s photo via the «photoid%5B%5D» and «photodesc%5B%5D» parameters in the component «index.php?app=photo.»
