Vulnerability Details : CVE-2018-1000671
sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs. This attack appear to be exploitable via Victim's browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available.
Vulnerability category: Cross site scripting (XSS)Open redirect
Products affected by CVE-2018-1000671
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:sympa:sympa:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1000671
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1000671
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2018-1000671
-
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1000671
-
https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html
[SECURITY] [DLA 1512-1] sympa security updateMailing List;Third Party Advisory
-
https://github.com/sympa-community/sympa/issues/268
XSS and open redirect on login form, CVE-2018-1000671 · Issue #268 · sympa-community/sympa · GitHubIssue Tracking;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/11/msg00015.html
[SECURITY] [DLA 2441-1] sympa security update
-
https://usn.ubuntu.com/4442-1/
USN-4442-1: Sympa vulnerabilities | Ubuntu security notices | Ubuntu
Jump to