CVE-2006-4954 | Vulnerability Database | Aqua Security

NVD

https://nvd.nist.gov/vuln/detail/CVE-2006-4954

CWE

https://cwe.mitre.org/data/definitions/NVD-Other.html

The updateuser servlet in Neon WebMail for Java before 5.08 does not validate the in_id parameter, which allows remote attackers to modify information of arbitrary users, as demonstrated by modifying (1) passwords and (2) permissions, (3) viewing profile settings, and (4) creating and (5) deleting users.

Affected Software

Name	Vendor	Start Version	End Version
Neon_webmail	Neosys	5.06 (including)	5.06 (including)
Neon_webmail	Neosys	5.07 (including)	5.07 (including)

References

http://secunia.com/advisories/22029
http://vuln.sg/neonmail506-en.html
http://www.securityfocus.com/bid/20109
http://www.securityfocus.com/bid/84203
https://exchange.xforce.ibmcloud.com/vulnerabilities/29089
http://secunia.com/advisories/22029
http://vuln.sg/neonmail506-en.html
http://www.securityfocus.com/bid/20109
http://www.securityfocus.com/bid/84203
https://exchange.xforce.ibmcloud.com/vulnerabilities/29089