CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-46900
https://notcve.org/view.php?id=CVE-2021-46900
31 Dec 2023 — Sympa before 6.2.62 relies on a cookie parameter for certain security objectives, but does not ensure that this parameter exists and has an unpredictable value. Specifically, the cookie parameter is both a salt for stored passwords and an XSS protection mechanism. Sympa anterior a 6.2.62 se basa en un parámetro de cookie para ciertos objetivos de seguridad, pero no garantiza que este parámetro exista y tenga un valor impredecible. Específicamente, el parámetro cookie es a la vez un salt para contraseñas alm... • https://github.com/sympa-community/sympa-community.github.io/blob/master/security/2021-001.md • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 4.3EPSS: 1%CPEs: 6EXPL: 1CVE-2020-29668 – Debian Security Advisory 4818-1
https://notcve.org/view.php?id=CVE-2020-29668
10 Dec 2020 — Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun. Sympa versiones anteriores a 6.2.59b.2, permite a atacantes remotos conseguir acceso completo a la API SOAP mediante el envío de cualquier cadena arbitraria (excepto una desde una cookie caducada) como el valor de la cookie para authenticateAndRun. Several vulnerabilities were discovered in Sympa, a mailing list manager, ... • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020 • CWE-287: Improper Authentication CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26932 – Debian Security Advisory 4818-1
https://notcve.org/view.php?id=CVE-2020-26932
10 Oct 2020 — debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group) debian/sympa.postinst para el paquete Debian Sympa versiones anteriores a 6.2.40~dfsg-7, usa el modo 4755 para sympa_newaliases-wrapper, mientras que los permisos previstos están en el modo 4750 (para el acceso del grupo sympa) Several vulnerabilities were discovered in Sympa, a mailing list manager, which could re... • https://bugs.debian.org/971904 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-26880
https://notcve.org/view.php?id=CVE-2020-26880
07 Oct 2020 — Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable. Sympa versiones hasta 6.2.57b.2, permite una escalada de privilegios local desde la cuenta de usuario sympa hacia el acceso root completo mediante la modificación del archivo de configuración sympa.conf (que es propiedad de sympa) y analizándolo por medio del ... • https://github.com/sympa-community/sympa/issues/1009 • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-10936 – Debian Security Advisory 4818-1
https://notcve.org/view.php?id=CVE-2020-10936
27 May 2020 — Sympa before 6.2.56 allows privilege escalation. Sympa versiones anteriores a la versión 6.2.56, permite una escalada de privilegios. Michael Kaczmarczik discovered that Sympa incorrectly handled HTTP GET/POST requests. An attacker could possibly use this issue to insert, edit or obtain sensitive information. It was discovered that Sympa incorrectly handled URL parameters. • https://github.com/sympa-community/sympa/releases • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000550 – Ubuntu Security Notice USN-4442-1
https://notcve.org/view.php?id=CVE-2018-1000550
26 Jun 2018 — The Sympa Community Sympa version prior to version 6.2.32 contains a Directory Traversal vulnerability in wwsympa.fcgi template editing function that can result in Possibility to create or modify files on the server filesystem. This attack appear to be exploitable via HTTP GET/POST request. This vulnerability appears to have been fixed in 6.2.32. Sympa de Sympa Community, en versiones anteriores a la 6.2.32, contiene una vulnerabilidad de salto de directorio en la función de edición de plantillas www.sympa.... • https://lists.debian.org/debian-lts-announce/2018/07/msg00033.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 1%CPEs: 159EXPL: 0CVE-2012-2352 – Debian Security Advisory 2477-1
https://notcve.org/view.php?id=CVE-2012-2352
22 May 2012 — The archive management (arc_manage) page in wwsympa/wwsympa.fcgi.in in Sympa before 6.1.11 does not check permissions, which allows remote attackers to list, read, and delete arbitrary list archives via vectors related to the (1) do_arc_manage, (2) do_arc_download, or (3) do_arc_delete functions. La página de gestión de archivos (arc_manage) en WWSympa/wwsympa.fcgi.in en Sympa antes del v6.1.11 no comprueba los permisos, lo que permite a atacantes remotos listar, leer y borrar archivos de lista de su elecci... • http://secunia.com/advisories/49045 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 2%CPEs: 129EXPL: 1CVE-2008-1648 – Debian Linux Security Advisory 1600-1
https://notcve.org/view.php?id=CVE-2008-1648
02 Apr 2008 — Sympa before 5.4 allows remote attackers to cause a denial of service (daemon crash) via an e-mail message with a malformed value of the Content-Type header and unspecified other headers. NOTE: some of these details are obtained from third party information. Sympa antes de 5.4 permite a atacantes remotos provocar una denegación de servicio (caída de demonio) a través de un email con un valor mal formado de la cabecera Content-Type y otras cabeceras no especificadas. NOTA: algunos de estos detalles se han ob... • http://secunia.com/advisories/29575 • CWE-20: Improper Input Validation •