1. CVE-Search
  2. CVE-2006-3935
ID CVE-2006-3935
Summary system/workplace/views/admin/admin-main.jsp in Alkacon OpenCms before 6.2.2 does not restrict access to administrator functions, which allows remote authenticated users to (1) send broadcast messages to all users (/workplace/broadcast), (2) list all users (/accounts/users), (3) add webusers (/accounts/webusers/new), (4) upload database import and export files (/database/importhttp), (5) upload arbitrary program modules (/modules/modules_import), and (6) read the log file (/workplace/logfileview) by setting the appropriate value for the path parameter in a direct request to admin-main.jsp.
References
Vulnerable Configurations
  • cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:alkacon:opencms:6.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:alkacon:opencms:6.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:alkacon:opencms:6.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:alkacon:opencms:6.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:alkacon:opencms:6.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:alkacon:opencms:6.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:alkacon:opencms:6.2:*:*:*:*:*:*:*
    cpe:2.3:a:alkacon:opencms:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:alkacon:opencms:6.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:alkacon:opencms:6.2.1:*:*:*:*:*:*:*
CVSS
Base: 6.5 (as of 17-10-2018 - 21:32)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
refmap via4
bugtraq 20060726 Multiple vulnerabilities in OpenCMS
misc
secunia 21193
sreason 1302
xf
  • opencms-adminmain-account-creation(28003)
  • opencms-adminmain-database-file-upload(28026)
  • opencms-adminmain-file-access(27996)
  • opencms-adminmain-message-broadcast(28031)
  • opencms-adminmain-module-upload(28010)
  • opencms-adminmain-obtain-information(28036)
Last major update 17-10-2018 - 21:32
Published 31-07-2006 - 22:04
Last modified 17-10-2018 - 21:32
Back to Top