Vulnerability Details CVE-2006-4954
The updateuser servlet in Neon WebMail for Java before 5.08 does not validate the in_id parameter, which allows remote attackers to modify information of arbitrary users, as demonstrated by modifying (1) passwords and (2) permissions, (3) viewing profile settings, and (4) creating and (5) deleting users.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.075
EPSS Ranking 91.4%
CVSS Severity
CVSS v2 Score 7.5
References
- http://secunia.com/advisories/22029
- http://vuln.sg/neonmail506-en.html
- http://www.securityfocus.com/bid/20109
- http://www.securityfocus.com/bid/84203
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29089
- http://secunia.com/advisories/22029
- http://vuln.sg/neonmail506-en.html
- http://www.securityfocus.com/bid/20109
- http://www.securityfocus.com/bid/84203
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29089
Products affected by CVE-2006-4954
-
cpe:2.3:a:neosys:neon_webmail:5.06
-
cpe:2.3:a:neosys:neon_webmail:5.07