Vulnerabilities > CVE-2006-4954 - Remote Security vulnerability in Neosys Neon Webmail 5.06/5.07
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The updateuser servlet in Neon WebMail for Java before 5.08 does not validate the in_id parameter, which allows remote attackers to modify information of arbitrary users, as demonstrated by modifying (1) passwords and (2) permissions, (3) viewing profile settings, and (4) creating and (5) deleting users.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
| description | NeoSys Neon Webmail for Java 5.06/5.07 updateuser Servlet in_id Variable Arbitrary User Information Modification. CVE-2006-4954 . Webapps exploit for jsp pla... |
| id | EDB-ID:28609 |
| last seen | 2016-02-03 |
| modified | 2006-09-20 |
| published | 2006-09-20 |
| reporter | Tan Chew Keong |
| source | https://www.exploit-db.com/download/28609/ |
| title | NeoSys Neon Webmail for Java 5.06/5.07 updateuser Servlet in_id Variable Arbitrary User Information Modification |