Security never stops, now does it?
It was possible for users in the Group Admin and User Admin groups to become a member of the Root group (reported by Samuel M. Stone, bug #135).
Being admin for a certain area (e.g. Story Admin for stories) made it possible to delete all objects in that area (e.g. stories) even if the user was not supposed to have access to them, provided the id of the object was known.
It was possible to delete other people’s personal events if you knew the event ID.
It was possible to browse through the comments of a story even if the user did not have access to the actual story (reported by Peter Roozemaal).
Due to an XSS issue, it was possible to change someone’s account settings (including the password) if you got them to click on a specially crafted link (reported by Jelmer, fix suggested by Vincent Furia).
The comment display suffered from the possibility of an SQL injection (reported by Jelmer).