CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-46900
https://notcve.org/view.php?id=CVE-2021-46900
31 Dec 2023 — Sympa before 6.2.62 relies on a cookie parameter for certain security objectives, but does not ensure that this parameter exists and has an unpredictable value. Specifically, the cookie parameter is both a salt for stored passwords and an XSS protection mechanism. Sympa anterior a 6.2.62 se basa en un parámetro de cookie para ciertos objetivos de seguridad, pero no garantiza que este parámetro exista y tenga un valor impredecible. Específicamente, el parámetro cookie es a la vez un salt para contraseñas alm... • https://github.com/sympa-community/sympa-community.github.io/blob/master/security/2021-001.md • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 4.3EPSS: 1%CPEs: 6EXPL: 1CVE-2020-29668 – Debian Security Advisory 4818-1
https://notcve.org/view.php?id=CVE-2020-29668
10 Dec 2020 — Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun. Sympa versiones anteriores a 6.2.59b.2, permite a atacantes remotos conseguir acceso completo a la API SOAP mediante el envío de cualquier cadena arbitraria (excepto una desde una cookie caducada) como el valor de la cookie para authenticateAndRun. Several vulnerabilities were discovered in Sympa, a mailing list manager, ... • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020 • CWE-287: Improper Authentication CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26932 – Debian Security Advisory 4818-1
https://notcve.org/view.php?id=CVE-2020-26932
10 Oct 2020 — debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group) debian/sympa.postinst para el paquete Debian Sympa versiones anteriores a 6.2.40~dfsg-7, usa el modo 4755 para sympa_newaliases-wrapper, mientras que los permisos previstos están en el modo 4750 (para el acceso del grupo sympa) Several vulnerabilities were discovered in Sympa, a mailing list manager, which could re... • https://bugs.debian.org/971904 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-26880
https://notcve.org/view.php?id=CVE-2020-26880
07 Oct 2020 — Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable. Sympa versiones hasta 6.2.57b.2, permite una escalada de privilegios local desde la cuenta de usuario sympa hacia el acceso root completo mediante la modificación del archivo de configuración sympa.conf (que es propiedad de sympa) y analizándolo por medio del ... • https://github.com/sympa-community/sympa/issues/1009 • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-10936 – Debian Security Advisory 4818-1
https://notcve.org/view.php?id=CVE-2020-10936
27 May 2020 — Sympa before 6.2.56 allows privilege escalation. Sympa versiones anteriores a la versión 6.2.56, permite una escalada de privilegios. Michael Kaczmarczik discovered that Sympa incorrectly handled HTTP GET/POST requests. An attacker could possibly use this issue to insert, edit or obtain sensitive information. It was discovered that Sympa incorrectly handled URL parameters. • https://github.com/sympa-community/sympa/releases • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 2%CPEs: 5EXPL: 0CVE-2020-9369 – Debian Security Advisory 4818-1
https://notcve.org/view.php?id=CVE-2020-9369
24 Feb 2020 — Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial of service (disk consumption from temporary files, and a flood of notifications to listmasters) via a series of requests with malformed parameters. Sympa versiones 6.2.38 hasta 6.2.52, permite a atacantes remotos causar una denegación de servicio (consumo de disco de archivos temporales y una avalancha de notificaciones para listmasters) por medio de una serie de peticiones con parámetros malformados. Several vulnerabilities were discover... • https://github.com/sympa-community/sympa/issues/886 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 2%CPEs: 2EXPL: 0CVE-2018-1000671 – Ubuntu Security Notice USN-4442-1
https://notcve.org/view.php?id=CVE-2018-1000671
06 Sep 2018 — sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs. This attack appear to be exploitable via Victim's browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available. sympa en versiones 6.2.16 y posteriores contiene una vulnerabilidad de redirección por URL a un si... • https://github.com/sympa-community/sympa/issues/268 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000550 – Ubuntu Security Notice USN-4442-1
https://notcve.org/view.php?id=CVE-2018-1000550
26 Jun 2018 — The Sympa Community Sympa version prior to version 6.2.32 contains a Directory Traversal vulnerability in wwsympa.fcgi template editing function that can result in Possibility to create or modify files on the server filesystem. This attack appear to be exploitable via HTTP GET/POST request. This vulnerability appears to have been fixed in 6.2.32. Sympa de Sympa Community, en versiones anteriores a la 6.2.32, contiene una vulnerabilidad de salto de directorio en la función de edición de plantillas www.sympa.... • https://lists.debian.org/debian-lts-announce/2018/07/msg00033.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 34EXPL: 0CVE-2015-1306 – Mandriva Linux Security Advisory 2015-051
https://notcve.org/view.php?id=CVE-2015-1306
22 Jan 2015 — The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors. La área de anuncios (newsletter) en la interfaz web en Sympa 6.0.x anterior a 6.0.10 y 6.1.x anterior a 6.1.24 permite a atacantes remotos leer ficheros arbitrarios a través de vectores no especifcados. A vulnerability have been discovered in Sympa web interface that allows access to files on the server filesystem. This breach allows t... • http://advisories.mageia.org/MGASA-2015-0085.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 159EXPL: 0CVE-2012-2352
https://notcve.org/view.php?id=CVE-2012-2352
31 May 2012 — The archive management (arc_manage) page in wwsympa/wwsympa.fcgi.in in Sympa before 6.1.11 does not check permissions, which allows remote attackers to list, read, and delete arbitrary list archives via vectors related to the (1) do_arc_manage, (2) do_arc_download, or (3) do_arc_delete functions. La página de gestión de archivos (arc_manage) en WWSympa/wwsympa.fcgi.in en Sympa antes del v6.1.11 no comprueba los permisos, lo que permite a atacantes remotos listar, leer y borrar archivos de lista de su elecci... • http://secunia.com/advisories/49045 • CWE-264: Permissions, Privileges, and Access Controls •