CVE-2006-4954 Information

Feb 14, 2021 cve

Description

The updateuser servlet in Neon WebMail for Java before 5.08 does not validate the in_id parameter which allows remote attackers to modify information of arbitrary users as demonstrated by modifying (1) passwords and (2) permissions (3) viewing profile settings and (4) creating and (5) deleting users.

Reference

http://secunia.com/advisories/22029 http://vuln.sg/neonmail506-en.html http://www.securityfocus.com/bid/20109 http://www.securityfocus.com/bid/84203 https://exchange.xforce.ibmcloud.com/vulnerabilities/29089

Share on: