Neon Webmail
by Neosys
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2006-4955 | 0.04 | — | 0.08 | Sep 23, 2006 | Directory traversal vulnerability in the downloadfile servlet in Neon WebMail for Java before 5.08 allows remote attackers to read arbitrary files via a .. (dot dot) sequence in the (1) savefolder and (2) savefilename parameters. | |||
| CVE-2006-4952 | 0.04 | — | 0.08 | Sep 23, 2006 | The updatemail servlet in Neon WebMail for Java before 5.08 allows remote attackers to move e-mail messages of arbitrary users between different mail folders, specified by the folderid and tofolderid parameters, via the ID parameter. | |||
| CVE-2006-4954 | 0.04 | — | 0.08 | Sep 23, 2006 | The updateuser servlet in Neon WebMail for Java before 5.08 does not validate the in_id parameter, which allows remote attackers to modify information of arbitrary users, as demonstrated by modifying (1) passwords and (2) permissions, (3) viewing profile settings, and (4)… | |||
| CVE-2006-4956 | 0.03 | — | 0.05 | Sep 23, 2006 | Cross-site scripting (XSS) vulnerability in the updateuser servlet in Neon WebMail for Java before 5.08 allows remote attackers to inject arbitrary web script or HTML via the in_name parameter, as used by the Name field. | |||
| CVE-2006-4953 | 0.03 | — | 0.04 | Sep 23, 2006 | Multiple SQL injection vulnerabilities in Neon WebMail for Java before 5.08 allow remote attackers to execute arbitrary SQL commands via the (1) adr_sortkey and (2) adr_sortkey_desc parameters in the (a) addrlist servlet, and the (3) sortkey and (4) sortkey_desc parameters in… | |||
| CVE-2006-4951 | 0.00 | — | 0.03 | Sep 23, 2006 | Neon WebMail for Java before 5.08 allows remote attackers to execute arbitrary Java (JSP) code by sending an e-mail message with a JSP file attachment, which is stored under the web root with a predictable filename. |
- CVE-2006-4955Sep 23, 2006risk 0.04cvss —epss 0.08
Directory traversal vulnerability in the downloadfile servlet in Neon WebMail for Java before 5.08 allows remote attackers to read arbitrary files via a .. (dot dot) sequence in the (1) savefolder and (2) savefilename parameters.
- CVE-2006-4952Sep 23, 2006risk 0.04cvss —epss 0.08
The updatemail servlet in Neon WebMail for Java before 5.08 allows remote attackers to move e-mail messages of arbitrary users between different mail folders, specified by the folderid and tofolderid parameters, via the ID parameter.
- CVE-2006-4954Sep 23, 2006risk 0.04cvss —epss 0.08
The updateuser servlet in Neon WebMail for Java before 5.08 does not validate the in_id parameter, which allows remote attackers to modify information of arbitrary users, as demonstrated by modifying (1) passwords and (2) permissions, (3) viewing profile settings, and (4)…
- CVE-2006-4956Sep 23, 2006risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in the updateuser servlet in Neon WebMail for Java before 5.08 allows remote attackers to inject arbitrary web script or HTML via the in_name parameter, as used by the Name field.
- CVE-2006-4953Sep 23, 2006risk 0.03cvss —epss 0.04
Multiple SQL injection vulnerabilities in Neon WebMail for Java before 5.08 allow remote attackers to execute arbitrary SQL commands via the (1) adr_sortkey and (2) adr_sortkey_desc parameters in the (a) addrlist servlet, and the (3) sortkey and (4) sortkey_desc parameters in…
- CVE-2006-4951Sep 23, 2006risk 0.00cvss —epss 0.03
Neon WebMail for Java before 5.08 allows remote attackers to execute arbitrary Java (JSP) code by sending an e-mail message with a JSP file attachment, which is stored under the web root with a predictable filename.