CVE-2006-6701 - Vulnerability Details - OpenCVE

Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51, and util.php in 5.x before 5.03, allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Atmail	Atmail Webmail

Configuration 1 [-]

OR	cpe:2.3:a:atmail:atmail_webmail:3.0:::::::*
	cpe:2.3:a:atmail:atmail_webmail:4.0:::::::*
	cpe:2.3:a:atmail:atmail_webmail:4.51:::::::*

No data.

References

Link	Providers
http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0512.html
http://secunia.com/advisories/23472
http://secunia.com/advisories/25328
http://securitytracker.com/id?1017435
http://terra.calacode.com/mail/docs/changelog.html
http://www.netragard.com/html/recent_research.html
http://www.netragard.com/pdfs/research/ATMAIL-XSRF-ADVISORY-20061206.txt
http://www.securityfocus.com/archive/1/458109/100/100/threaded
http://www.vupen.com/english/advisories/2007/1864
https://exchange.xforce.ibmcloud.com/vulnerabilities/31259

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2006-12-23T01:00:00

Updated: 2024-08-07T20:33:59.975Z

Reserved: 2006-12-22T00:00:00

Link: CVE-2006-6701

Vulnrichment

No data.

NVD

Status : Modified

Published: 2006-12-23T01:28:00.000

Modified: 2024-11-21T00:23:26.550

Link: CVE-2006-6701

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-12-22T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51, and util.php in 5.x before 5.03, allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-17T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://terra.calacode.com/mail/docs/changelog.html"}, {"name": "25328", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25328"}, {"name": "@mail-unspecified-csrf(31259)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31259"}, {"name": "ADV-2007-1864", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/1864"}, {"name": "1017435", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1017435"}, {"name": "20070125 [NETRAGARD-20061218 SECURITY ADVISORY] [@Mail WebMail Cross Site Request Forgery]", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0512.html"}, {"name": "20070125 [NETRAGARD-20061218 SECURITY ADVISORY] [@Mail WebMail Cross Site Request Forgery]", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/458109/100/100/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://www.netragard.com/html/recent_research.html"}, {"name": "23472", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/23472"}, {"tags": ["x_refsource_MISC"], "url": "http://www.netragard.com/pdfs/research/ATMAIL-XSRF-ADVISORY-20061206.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-6701", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51, and util.php in 5.x before 5.03, allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://terra.calacode.com/mail/docs/changelog.html", "refsource": "CONFIRM", "url": "http://terra.calacode.com/mail/docs/changelog.html"}, {"name": "25328", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25328"}, {"name": "@mail-unspecified-csrf(31259)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31259"}, {"name": "ADV-2007-1864", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/1864"}, {"name": "1017435", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1017435"}, {"name": "20070125 [NETRAGARD-20061218 SECURITY ADVISORY] [@Mail WebMail Cross Site Request Forgery]", "refsource": "FULLDISC", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0512.html"}, {"name": "20070125 [NETRAGARD-20061218 SECURITY ADVISORY] [@Mail WebMail Cross Site Request Forgery]", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/458109/100/100/threaded"}, {"name": "http://www.netragard.com/html/recent_research.html", "refsource": "MISC", "url": "http://www.netragard.com/html/recent_research.html"}, {"name": "23472", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/23472"}, {"name": "http://www.netragard.com/pdfs/research/ATMAIL-XSRF-ADVISORY-20061206.txt", "refsource": "MISC", "url": "http://www.netragard.com/pdfs/research/ATMAIL-XSRF-ADVISORY-20061206.txt"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T20:33:59.975Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://terra.calacode.com/mail/docs/changelog.html"}, {"name": "25328", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/25328"}, {"name": "@mail-unspecified-csrf(31259)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31259"}, {"name": "ADV-2007-1864", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/1864"}, {"name": "1017435", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1017435"}, {"name": "20070125 [NETRAGARD-20061218 SECURITY ADVISORY] [@Mail WebMail Cross Site Request Forgery]", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0512.html"}, {"name": "20070125 [NETRAGARD-20061218 SECURITY ADVISORY] [@Mail WebMail Cross Site Request Forgery]", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/458109/100/100/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.netragard.com/html/recent_research.html"}, {"name": "23472", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/23472"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.netragard.com/pdfs/research/ATMAIL-XSRF-ADVISORY-20061206.txt"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-6701", "datePublished": "2006-12-23T01:00:00", "dateReserved": "2006-12-22T00:00:00", "dateUpdated": "2024-08-07T20:33:59.975Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atmail:atmail_webmail:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "1C34B571-B918-42CA-911A-E32A92BA5CB0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atmail:atmail_webmail:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "D4957D64-84D0-461C-9C25-07F5589E5CBC", "vulnerable": true}, {"criteria": "cpe:2.3:a:atmail:atmail_webmail:4.51:*:*:*:*:*:*:*", "matchCriteriaId": "83F78C65-30EE-4A96-8FA0-A280D9EA6B60", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51, and util.php in 5.x before 5.03, allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en @Mail WebMail 4.51 y util.php en 5.x anterior a 5.03, permite a un atacante remoto realizar acciones no autorizadas como otros usuarios a trav\u00e9s de vectores no especificados. NOTA: Est\u00e1 informaci\u00f3n se basa en una introducci\u00f3n inicial. Los detalles se obtendr\u00e1n despu\u00e9s de que elperiodo de gracia haya finalizado."}], "id": "CVE-2006-6701", "lastModified": "2024-11-21T00:23:26.550", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-12-23T01:28:00.000", "references": [{"source": "cve@mitre.org", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0512.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/23472"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/25328"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1017435"}, {"source": "cve@mitre.org", "url": "http://terra.calacode.com/mail/docs/changelog.html"}, {"source": "cve@mitre.org", "url": "http://www.netragard.com/html/recent_research.html"}, {"source": "cve@mitre.org", "url": "http://www.netragard.com/pdfs/research/ATMAIL-XSRF-ADVISORY-20061206.txt"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/458109/100/100/threaded"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2007/1864"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31259"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0512.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/23472"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/25328"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securitytracker.com/id?1017435"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://terra.calacode.com/mail/docs/changelog.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.netragard.com/html/recent_research.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.netragard.com/pdfs/research/ATMAIL-XSRF-ADVISORY-20061206.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/458109/100/100/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2007/1864"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31259"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}