CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-46900
https://notcve.org/view.php?id=CVE-2021-46900
Sympa before 6.2.62 relies on a cookie parameter for certain security objectives, but does not ensure that this parameter exists and has an unpredictable value. Specifically, the cookie parameter is both a salt for stored passwords and an XSS protection mechanism. Sympa anterior a 6.2.62 se basa en un parámetro de cookie para ciertos objetivos de seguridad, pero no garantiza que este parámetro exista y tenga un valor impredecible. Específicamente, el parámetro cookie es a la vez un salt para contraseñas almacenadas y un mecanismo de protección XSS. • https://github.com/sympa-community/sympa-community.github.io/blob/master/security/2021-001.md https://github.com/sympa-community/sympa/issues/1091 https://www.sympa.community/security/2021-001.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2020-29668
https://notcve.org/view.php?id=CVE-2020-29668
Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun. Sympa versiones anteriores a 6.2.59b.2, permite a atacantes remotos conseguir acceso completo a la API SOAP mediante el envío de cualquier cadena arbitraria (excepto una desde una cookie caducada) como el valor de la cookie para authenticateAndRun. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020 https://github.com/sympa-community/sympa/blob/6.2.59b.2/NEWS.md https://github.com/sympa-community/sympa/issues/1041 https://github.com/sympa-community/sympa/pull/1044 https://lists.debian.org/debian-lts-announce/2020/12/msg00026.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFZWDEKQFW3EH665OECDWIWM2MI7T53Y https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org& • CWE-287: Improper Authentication CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26932
https://notcve.org/view.php?id=CVE-2020-26932
debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group) debian/sympa.postinst para el paquete Debian Sympa versiones anteriores a 6.2.40~dfsg-7, usa el modo 4755 para sympa_newaliases-wrapper, mientras que los permisos previstos están en el modo 4750 (para el acceso del grupo sympa) • https://bugs.debian.org/971904 https://salsa.debian.org/sympa-team/sympa/-/merge_requests/1 https://www.debian.org/security/2020/dsa-4818 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-26880
https://notcve.org/view.php?id=CVE-2020-26880
Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable. Sympa versiones hasta 6.2.57b.2, permite una escalada de privilegios local desde la cuenta de usuario sympa hacia el acceso root completo mediante la modificación del archivo de configuración sympa.conf (que es propiedad de sympa) y analizándolo por medio del ejecutable sympa_newaliases-wrapper de setuid • https://github.com/sympa-community/sympa/issues/1009 https://github.com/sympa-community/sympa/issues/943#issuecomment-704779420 https://github.com/sympa-community/sympa/issues/943#issuecomment-704842235 https://lists.debian.org/debian-lts-announce/2020/11/msg00015.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CUVLHGWCDA6B2NH467ZMKL6O2NGLQZN https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5MFWWYY4TSQAXBWZ6SBFX43BLUL3WWI https://li • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-10936
https://notcve.org/view.php?id=CVE-2020-10936
Sympa before 6.2.56 allows privilege escalation. Sympa versiones anteriores a la versión 6.2.56, permite una escalada de privilegios. • https://github.com/sympa-community/sympa/releases https://lists.debian.org/debian-lts-announce/2020/10/msg00012.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3J4NZLGAF4ZYK52XEBQDTBNHLGBEPXXN https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3TMQ3CORUOWARALACCBG2SBTIGZ5GY5 https://sysdream.com/news/lab https://sysdream.com/news/lab/2020-05-25-cve-2020-10936-sympa-privileges-escalation-to-root https://usn.ubuntu.com/4442- • CWE-269: Improper Privilege Management •