baserCMS before 3.0.8 allows remote authenticated users to modify arbitrary user settings via a crafted request.
CVSS Metrics
