6.5

CVE-2006-3935

system/workplace/views/admin/admin-main.jsp in Alkacon OpenCms before 6.2.2 does not restrict access to administrator functions, which allows remote authenticated users to (1) send broadcast messages to all users (/workplace/broadcast), (2) list all users (/accounts/users), (3) add webusers (/accounts/webusers/new), (4) upload database import and export files (/database/importhttp), (5) upload arbitrary program modules (/modules/modules_import), and (6) read the log file (/workplace/logfileview) by setting the appropriate value for the path parameter in a direct request to admin-main.jsp.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AlkaconOpencms Version6.0.0
AlkaconOpencms Version6.0.2
AlkaconOpencms Version6.0.3
AlkaconOpencms Version6.0.4
AlkaconOpencms Version6.2
AlkaconOpencms Version6.2.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.7% 0.743
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
Es wurden noch keine Informationen zu CWE veröffentlicht.
http://o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txt
Patch
http://secunia.com/advisories/21193
Patch
Vendor Advisory
http://securityreason.com/securityalert/1302
http://www.opencms.org/export/download/opencms/opencms_6.2.2_src.zip
Patch
http://www.opencms.org/opencms/en/shownews.html?id=1002
Patch
http://www.securityfocus.com/archive/1/441182/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/27996
https://exchange.xforce.ibmcloud.com/vulnerabilities/28003
https://exchange.xforce.ibmcloud.com/vulnerabilities/28010
https://exchange.xforce.ibmcloud.com/vulnerabilities/28026
https://exchange.xforce.ibmcloud.com/vulnerabilities/28031
https://exchange.xforce.ibmcloud.com/vulnerabilities/28036