ID |
CVE-2006-3935
|
Summary |
system/workplace/views/admin/admin-main.jsp in Alkacon OpenCms before 6.2.2 does not restrict access to administrator functions, which allows remote authenticated users to (1) send broadcast messages to all users (/workplace/broadcast), (2) list all users (/accounts/users), (3) add webusers (/accounts/webusers/new), (4) upload database import and export files (/database/importhttp), (5) upload arbitrary program modules (/modules/modules_import), and (6) read the log file (/workplace/logfileview) by setting the appropriate value for the path parameter in a direct request to admin-main.jsp. |
References |
|
Vulnerable Configurations |
-
cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*
-
cpe:2.3:a:alkacon:opencms:6.0.2:*:*:*:*:*:*:*
cpe:2.3:a:alkacon:opencms:6.0.2:*:*:*:*:*:*:*
-
cpe:2.3:a:alkacon:opencms:6.0.3:*:*:*:*:*:*:*
cpe:2.3:a:alkacon:opencms:6.0.3:*:*:*:*:*:*:*
-
cpe:2.3:a:alkacon:opencms:6.0.4:*:*:*:*:*:*:*
cpe:2.3:a:alkacon:opencms:6.0.4:*:*:*:*:*:*:*
-
cpe:2.3:a:alkacon:opencms:6.2:*:*:*:*:*:*:*
cpe:2.3:a:alkacon:opencms:6.2:*:*:*:*:*:*:*
-
cpe:2.3:a:alkacon:opencms:6.2.1:*:*:*:*:*:*:*
cpe:2.3:a:alkacon:opencms:6.2.1:*:*:*:*:*:*:*
|
CVSS |
Base: | 6.5 (as of 17-10-2018 - 21:32) |
Impact: | |
Exploitability: | |
|
CWE |
NVD-CWE-Other |
CAPEC |
|
Access |
Vector | Complexity | Authentication |
NETWORK |
LOW |
SINGLE |
|
Impact |
Confidentiality | Integrity | Availability |
PARTIAL |
PARTIAL |
PARTIAL |
|
cvss-vector
via4
|
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
refmap
via4
|
bugtraq | 20060726 Multiple vulnerabilities in OpenCMS | misc | | secunia | 21193 | sreason | 1302 | xf | - opencms-adminmain-account-creation(28003)
- opencms-adminmain-database-file-upload(28026)
- opencms-adminmain-file-access(27996)
- opencms-adminmain-message-broadcast(28031)
- opencms-adminmain-module-upload(28010)
- opencms-adminmain-obtain-information(28036)
|
|
Last major update |
17-10-2018 - 21:32 |
Published |
31-07-2006 - 22:04 |
Last modified |
17-10-2018 - 21:32 |