CVE Vulnerabilities

CVE-2007-6237

Improper Authentication

Published: Dec 04, 2007 | Modified: Oct 15, 2018
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
9 HIGH
AV:N/AC:L/Au:S/C:C/I:C/A:C
RedHat/V2
RedHat/V3
Ubuntu

cp.php in DeluxeBB 1.09 does not verify that the membercookie parameter corresponds to the authenticated member during a profile update, which allows remote authenticated users to change the e-mail addresses of arbitrary accounts via a modified membercookie parameter, a different vector than CVE-2006-4078. NOTE: this can be leveraged for administrative access by requesting password-reset e-mail through a lostpw action to misc.php.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Deluxebb Deluxebb 1.09 1.09

Potential Mitigations

References