CVE-2021-46900
https://notcve.org/view.php?id=CVE-2021-46900
Sympa before 6.2.62 relies on a cookie parameter for certain security objectives, but does not ensure that this parameter exists and has an unpredictable value. Specifically, the cookie parameter is both a salt for stored passwords and an XSS protection mechanism. Sympa anterior a 6.2.62 se basa en un parámetro de cookie para ciertos objetivos de seguridad, pero no garantiza que este parámetro exista y tenga un valor impredecible. Específicamente, el parámetro cookie es a la vez un salt para contraseñas almacenadas y un mecanismo de protección XSS. • https://github.com/sympa-community/sympa-community.github.io/blob/master/security/2021-001.md https://github.com/sympa-community/sympa/issues/1091 https://www.sympa.community/security/2021-001.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVE-2020-29668
https://notcve.org/view.php?id=CVE-2020-29668
Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun. Sympa versiones anteriores a 6.2.59b.2, permite a atacantes remotos conseguir acceso completo a la API SOAP mediante el envío de cualquier cadena arbitraria (excepto una desde una cookie caducada) como el valor de la cookie para authenticateAndRun. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020 https://github.com/sympa-community/sympa/blob/6.2.59b.2/NEWS.md https://github.com/sympa-community/sympa/issues/1041 https://github.com/sympa-community/sympa/pull/1044 https://lists.debian.org/debian-lts-announce/2020/12/msg00026.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFZWDEKQFW3EH665OECDWIWM2MI7T53Y https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org& • CWE-287: Improper Authentication CWE-565: Reliance on Cookies without Validation and Integrity Checking •