CVE-2006-6821 - Vulnerability Details - OpenCVE

myprofile.asp in Enthrallweb eNews does not properly validate the MM_recordId parameter during profile updates, which allows remote authenticated users to modify certain profile fields of another account by specifying that account's username in a modified MM_recordId parameter.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Enthrallweb	Enews

Configuration 1 [-]

cpe:2.3:a:enthrallweb:enews:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://secunia.com/advisories/23518
http://www.securityfocus.com/bid/21739
http://www.vupen.com/english/advisories/2006/5156
https://www.exploit-db.com/exploits/2996

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2006-12-29T11:00:00

Updated: 2024-08-07T20:42:07.196Z

Reserved: 2006-12-29T00:00:00

Link: CVE-2006-6821

Vulnrichment

No data.

NVD

Status : Modified

Published: 2006-12-29T11:28:00.000

Modified: 2024-11-21T00:23:43.870

Link: CVE-2006-6821

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-12-26T00:00:00", "descriptions": [{"lang": "en", "value": "myprofile.asp in Enthrallweb eNews does not properly validate the MM_recordId parameter during profile updates, which allows remote authenticated users to modify certain profile fields of another account by specifying that account's username in a modified MM_recordId parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-18T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "ADV-2006-5156", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2006/5156"}, {"name": "2996", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/2996"}, {"name": "21739", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/21739"}, {"name": "23518", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/23518"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-6821", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "myprofile.asp in Enthrallweb eNews does not properly validate the MM_recordId parameter during profile updates, which allows remote authenticated users to modify certain profile fields of another account by specifying that account's username in a modified MM_recordId parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2006-5156", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2006/5156"}, {"name": "2996", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/2996"}, {"name": "21739", "refsource": "BID", "url": "http://www.securityfocus.com/bid/21739"}, {"name": "23518", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/23518"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T20:42:07.196Z"}, "title": "CVE Program Container", "references": [{"name": "ADV-2006-5156", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2006/5156"}, {"name": "2996", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/2996"}, {"name": "21739", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/21739"}, {"name": "23518", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/23518"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-6821", "datePublished": "2006-12-29T11:00:00", "dateReserved": "2006-12-29T00:00:00", "dateUpdated": "2024-08-07T20:42:07.196Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enthrallweb:enews:*:*:*:*:*:*:*:*", "matchCriteriaId": "C19A225F-3DAB-4053-8D0F-39C8330C36D8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "myprofile.asp in Enthrallweb eNews does not properly validate the MM_recordId parameter during profile updates, which allows remote authenticated users to modify certain profile fields of another account by specifying that account's username in a modified MM_recordId parameter."}, {"lang": "es", "value": "myprofile.asp en Enthrallweb eCoupons no valida de forma correcta el par\u00e1metro MM_recordId durante actualizaciones de perfil, lo cual permite a atacantes remotos autenticados, modificar campos concretos del perfil de otras cuentas con solo especificar el nombre de usuario de estas cuentas en un p\u00e1rametro MM_recordId modificado."}], "id": "CVE-2006-6821", "lastModified": "2024-11-21T00:23:43.870", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-12-29T11:28:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/23518"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/21739"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2006/5156"}, {"source": "cve@mitre.org", "url": "https://www.exploit-db.com/exploits/2996"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/23518"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/21739"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2006/5156"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.exploit-db.com/exploits/2996"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}