CVE-2006-6821

Name of the Vulnerable Software and Affected Versions: Enthrallweb eNews (affected versions not specified)

Description: The issue concerns the myprofile.asp page in Enthrallweb eNews, where the MM recordId parameter is not properly validated during profile updates. This allows remote authenticated users to modify certain profile fields of another account by specifying that account's username in a modified MM recordId parameter.

Recommendations: For all affected versions, consider restricting access to the myprofile.asp page until a proper validation mechanism for the MM recordId parameter is implemented. As a temporary workaround, restrict the ability to modify profile fields to prevent unauthorized changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.