Vulnerabilities > CVE-2006-4954 - Unspecified vulnerability in Neosys Neon Webmail 5.06/5.07
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN neosys
exploit available
Summary
The updateuser servlet in Neon WebMail for Java before 5.08 does not validate the in_id parameter, which allows remote attackers to modify information of arbitrary users, as demonstrated by modifying (1) passwords and (2) permissions, (3) viewing profile settings, and (4) creating and (5) deleting users.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
| description | NeoSys Neon Webmail for Java 5.06/5.07 updateuser Servlet in_id Variable Arbitrary User Information Modification. CVE-2006-4954 . Webapps exploit for jsp pla... |
| id | EDB-ID:28609 |
| last seen | 2016-02-03 |
| modified | 2006-09-20 |
| published | 2006-09-20 |
| reporter | Tan Chew Keong |
| source | https://www.exploit-db.com/download/28609/ |
| title | NeoSys Neon Webmail for Java 5.06/5.07 updateuser Servlet in_id Variable Arbitrary User Information Modification |
References
- http://secunia.com/advisories/22029
- http://secunia.com/advisories/22029
- http://vuln.sg/neonmail506-en.html
- http://vuln.sg/neonmail506-en.html
- http://www.securityfocus.com/bid/20109
- http://www.securityfocus.com/bid/20109
- http://www.securityfocus.com/bid/84203
- http://www.securityfocus.com/bid/84203
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29089
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29089