Multiple vulnerabilities in OpenCMS

CVE编号

CVE-2006-3935

利用情况

暂无

补丁情况

N/A

披露时间

2006-08-01

漏洞描述

system/workplace/views/admin/admin-main.jsp in Alkacon OpenCms before 6.2.2 does not restrict access to administrator functions, which allows remote authenticated users to (1) send broadcast messages to all users (/workplace/broadcast), (2) list all users (/accounts/users), (3) add webusers (/accounts/webusers/new), (4) upload database import and export files (/database/importhttp), (5) upload arbitrary program modules (/modules/modules_import), and (6) read the log file (/workplace/logfileview) by setting the appropriate value for the path parameter in a direct request to admin-main.jsp.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
http://o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txt
http://secunia.com/advisories/21193
http://securityreason.com/securityalert/1302
http://www.opencms.org/export/download/opencms/opencms_6.2.2_src.zip
http://www.opencms.org/opencms/en/shownews.html?id=1002
http://www.securityfocus.com/archive/1/441182/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/27996
https://exchange.xforce.ibmcloud.com/vulnerabilities/28003
https://exchange.xforce.ibmcloud.com/vulnerabilities/28010
https://exchange.xforce.ibmcloud.com/vulnerabilities/28026
https://exchange.xforce.ibmcloud.com/vulnerabilities/28031
https://exchange.xforce.ibmcloud.com/vulnerabilities/28036

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	alkacon	opencms	6.0.0	-
	运行在以下环境
	应用	alkacon	opencms	6.0.2	-
	运行在以下环境
	应用	alkacon	opencms	6.0.3	-
	运行在以下环境
	应用	alkacon	opencms	6.0.4	-
	运行在以下环境
	应用	alkacon	opencms	6.2	-
	运行在以下环境
	应用	alkacon	opencms	6.2.1	-

CVSS3评分 6.5

• 攻击路径 网络
• 攻击复杂度 低
• 权限要求 一次
• 影响范围 N/A
• 用户交互 无
• 可用性 部分地
• 保密性 部分地
• 完整性 部分地

AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-ID	漏洞类型
NVD-CWE-Other

Exp相关链接

- avd.aliyun.com