CVE-2006-3935 – org.opencms:opencms-core

Package

Manager: maven
Name: org.opencms:opencms-core
Vulnerable Version: >=0 <6.2.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

EPSS: 0.02392 pctl0.84439

Details

Alkacon OpenCMS Improper Access Control via system/workplace/views/admin/admin-main.jsp system/workplace/views/admin/admin-main.jsp in Alkacon OpenCms before 6.2.2 does not restrict access to administrator functions, which allows remote authenticated users to (1) send broadcast messages to all users (/workplace/broadcast), (2) list all users (/accounts/users), (3) add webusers (/accounts/webusers/new), (4) upload database import and export files (/database/importhttp), (5) upload arbitrary program modules (/modules/modules_import), and (6) read the log file (/workplace/logfileview) by setting the appropriate value for the path parameter in a direct request to admin-main.jsp.

Metadata

Created: 2022-05-01T07:13:46Z
Modified: 2025-06-20T15:33:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v3c3-qr6m-8m7m/GHSA-v3c3-qr6m-8m7m.json
CWE IDs: ["CWE-284", "CWE-862"]
Alternative ID: GHSA-v3c3-qr6m-8m7m
Finding: F039
Auto approve: 1