CVE Vulnerabilities

CVE-2006-3935

Published: Jul 31, 2006 | Modified: Oct 17, 2018
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
6.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

system/workplace/views/admin/admin-main.jsp in Alkacon OpenCms before 6.2.2 does not restrict access to administrator functions, which allows remote authenticated users to (1) send broadcast messages to all users (/workplace/broadcast), (2) list all users (/accounts/users), (3) add webusers (/accounts/webusers/new), (4) upload database import and export files (/database/importhttp), (5) upload arbitrary program modules (/modules/modules_import), and (6) read the log file (/workplace/logfileview) by setting the appropriate value for the path parameter in a direct request to admin-main.jsp.

Affected Software

Name Vendor Start Version End Version
Opencms Alkacon 6.0.3 6.0.3
Opencms Alkacon 6.0.4 6.0.4
Opencms Alkacon 6.0.0 6.0.0
Opencms Alkacon 6.2 6.2
Opencms Alkacon 6.0.2 6.0.2
Opencms Alkacon 6.2.1 6.2.1

References