CVSS: 7.5EPSS: 2%CPEs: 5EXPL: 0CVE-2020-9369
https://notcve.org/view.php?id=CVE-2020-9369
Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial of service (disk consumption from temporary files, and a flood of notifications to listmasters) via a series of requests with malformed parameters. Sympa versiones 6.2.38 hasta 6.2.52, permite a atacantes remotos causar una denegación de servicio (consumo de disco de archivos temporales y una avalancha de notificaciones para listmasters) por medio de una serie de peticiones con parámetros malformados. • https://github.com/sympa-community/sympa/issues/886 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6TMVZ5LVYCCIHGEC7RQUMGUE7DJWUXN7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A3FUYYLV6URRLAJVWXNJYK2CNOKKNHXC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO4WJYNNHWM7DUKCN4EWYYYPXZSOI7BQ https://sympa-community.github.io/security/2020-001.html https://www.debian.org/security/2020/dsa-4818 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000671
https://notcve.org/view.php?id=CVE-2018-1000671
sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs. This attack appear to be exploitable via Victim's browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available. sympa en versiones 6.2.16 y posteriores contiene una vulnerabilidad de redirección por URL a un sitio no fiable (CWE-601) en el parámetro "referer" de la acción de inicio de sesión en wwsympa.fcgi. Esto puede resultar en una redirección abierta y Cross-Site Scripting (XSS) reflejado mediante URI de datos. El ataque parece ser explotable si el navegador de la víctima sigue una URL proporcionada por el atacante. • https://github.com/sympa-community/sympa/issues/268 https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html https://lists.debian.org/debian-lts-announce/2020/11/msg00015.html https://usn.ubuntu.com/4442-1 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000550
https://notcve.org/view.php?id=CVE-2018-1000550
The Sympa Community Sympa version prior to version 6.2.32 contains a Directory Traversal vulnerability in wwsympa.fcgi template editing function that can result in Possibility to create or modify files on the server filesystem. This attack appear to be exploitable via HTTP GET/POST request. This vulnerability appears to have been fixed in 6.2.32. Sympa de Sympa Community, en versiones anteriores a la 6.2.32, contiene una vulnerabilidad de salto de directorio en la función de edición de plantillas www.sympa.fcgi que puede generar la posibilidad de crear o modificar archivos en el sistema de archivos del servidor. Parece ser que este ataque puede ser explotado mediante una petición HTTP GET/POST. • https://lists.debian.org/debian-lts-announce/2018/07/msg00033.html https://sympa-community.github.io/security/2018-001.html https://usn.ubuntu.com/4442-1 https://www.debian.org/security/2018/dsa-4285 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.0EPSS: 0%CPEs: 34EXPL: 0CVE-2015-1306
https://notcve.org/view.php?id=CVE-2015-1306
The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors. La área de anuncios (newsletter) en la interfaz web en Sympa 6.0.x anterior a 6.0.10 y 6.1.x anterior a 6.1.24 permite a atacantes remotos leer ficheros arbitrarios a través de vectores no especifcados. • http://advisories.mageia.org/MGASA-2015-0085.html http://secunia.com/advisories/62387 http://secunia.com/advisories/62442 http://www.debian.org/security/2015/dsa-3134 http://www.mandriva.com/security/advisories?name=MDVSA-2015:051 http://www.openwall.com/lists/oss-security/2015/01/20/4 http://www.securityfocus.com/bid/72277 https://www.sympa.org/security_advisories • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 159EXPL: 0CVE-2012-2352
https://notcve.org/view.php?id=CVE-2012-2352
The archive management (arc_manage) page in wwsympa/wwsympa.fcgi.in in Sympa before 6.1.11 does not check permissions, which allows remote attackers to list, read, and delete arbitrary list archives via vectors related to the (1) do_arc_manage, (2) do_arc_download, or (3) do_arc_delete functions. La página de gestión de archivos (arc_manage) en WWSympa/wwsympa.fcgi.in en Sympa antes del v6.1.11 no comprueba los permisos, lo que permite a atacantes remotos listar, leer y borrar archivos de lista de su elección a través de vectores relacionados con las funciones (a) do_arc_manage, (2) do_arc_download, o (3) do_arc_delete. • http://secunia.com/advisories/49045 http://secunia.com/advisories/49237 http://www.debian.org/security/2012/dsa-2477 http://www.openwall.com/lists/oss-security/2012/05/11/8 http://www.openwall.com/lists/oss-security/2012/05/12/2 http://www.openwall.com/lists/oss-security/2012/05/12/8 http://www.osvdb.org/81890 http://www.securityfocus.com/bid/53503 https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympa& • CWE-264: Permissions, Privileges, and Access Controls •