CVE-2006-3935

Name of the Vulnerable Software and Affected Versions Alkacon OpenCms versions prior to 6.2.2

Description The issue allows remote authenticated users to access administrator functions without proper restrictions. This enables them to perform various actions, including sending broadcast messages to all users through the "/workplace/broadcast" endpoint, listing all users via the "/accounts/users" endpoint, adding web users through the "/accounts/webusers/new" endpoint, uploading database import and export files via the "/database/importhttp" endpoint, uploading arbitrary program modules through the "/modules/modules import" endpoint, and reading the log file through the "/workplace/logfileview" endpoint. This is achieved by setting the appropriate value for the path parameter in a direct request to "admin-main.jsp".

Recommendations For versions prior to 6.2.2, update to version 6.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin-main.jsp" page and its associated endpoints to minimize the risk of exploitation. Avoid using the path parameter in direct requests to "admin-main.jsp" until the issue is resolved.