Unrated severityNVD Advisory· Published Sep 23, 2006· Updated Apr 16, 2026

CVE-2006-4954

Description

The updateuser servlet in Neon WebMail for Java before 5.08 does not validate the in_id parameter, which allows remote attackers to modify information of arbitrary users, as demonstrated by modifying (1) passwords and (2) permissions, (3) viewing profile settings, and (4) creating and (5) deleting users.

Affected products

Neosys/Neon Webmail2 versions
cpe:2.3:a:neosys:neon_webmail:5.06:*:java:*:*:*:*:*+ 1 more
- cpe:2.3:a:neosys:neon_webmail:5.06:*:java:*:*:*:*:*
- cpe:2.3:a:neosys:neon_webmail:5.07:*:java:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

secunia.com/advisories/22029nvdPatchVendor Advisory
vuln.sg/neonmail506-en.htmlnvdExploitPatch
www.securityfocus.com/bid/20109nvdExploitPatch
www.securityfocus.com/bid/84203nvd
exchange.xforce.ibmcloud.com/vulnerabilities/29089nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.007
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000