QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2006-3935

Back to search

CVE-2006-3935

Published: Jul 31, 2006

Modified: Aug 7, 2024

PUBLISHED

Description

system/workplace/views/admin/admin-main.jsp in Alkacon OpenCms before 6.2.2 does not restrict access to administrator functions, which allows remote authenticated users to (1) send broadcast messages to all users (/workplace/broadcast), (2) list all users (/accounts/users), (3) add webusers (/accounts/webusers/new), (4) upload database import and export files (/database/importhttp), (5) upload arbitrary program modules (/modules/modules_import), and (6) read the log file (/workplace/logfileview) by setting the appropriate value for the path parameter in a direct request to admin-main.jsp.

VendorProductVersions

n/a

n/a

affected
n/a

References

21193
third-party-advisory
x_refsource_SECUNIA
1302
third-party-advisory
x_refsource_SREASON
20060726 Multiple vulnerabilities in OpenCMS
mailing-list
x_refsource_BUGTRAQ

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now