CVE-2021-46900

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sympa before 6.2.62 relies on a cookie parameter for certain security objectives, but does not ensure that this parameter exists and has an unpredictable value. Specifically, the cookie parameter is both a salt for stored passwords and an XSS protection mechanism.

Sympa anterior a 6.2.62 se basa en un parámetro de cookie para ciertos objetivos de seguridad, pero no garantiza que este parámetro exista y tenga un valor impredecible. Específicamente, el parámetro cookie es a la vez un salt para contraseñas almacenadas y un mecanismo de protección XSS.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-31 CVE Reserved
2023-12-31 CVE Published
2024-01-11 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/sympa-community/sympa-community.github.io/blob/master/security/2021-001.md	2024-01-10
https://github.com/sympa-community/sympa/issues/1091	2024-01-10
https://www.sympa.community/security/2021-001.html	2024-01-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sympa Search vendor "Sympa"		Sympa Search vendor "Sympa" for product "Sympa"				< 6.2.62 Search vendor "Sympa" for product "Sympa" and version " < 6.2.62"		-		Affected