Back to search
CVE-2007-6237
Published: Dec 4, 2007
Modified: Aug 7, 2024
PUBLISHED
Description
cp.php in DeluxeBB 1.09 does not verify that the membercookie parameter corresponds to the authenticated member during a profile update, which allows remote authenticated users to change the e-mail addresses of arbitrary accounts via a modified membercookie parameter, a different vector than CVE-2006-4078. NOTE: this can be leveraged for administrative access by requesting password-reset e-mail through a lostpw action to misc.php.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
27794
third-party-advisory
x_refsource_SECUNIA
3416
third-party-advisory
x_refsource_SREASON
20071126 DeluxeBB E-Mail Address Change Security Bypass
mailing-list
x_refsource_BUGTRAQ
26572
vdb-entry
x_refsource_BID
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now