cpe:2.3:a:sympa:sympa:4.1.2:*:*:*:*:*:*:*
Sympa before 6.2.62 relies on a cookie parameter for certain security objectives, but does not ensure that this parameter exists and has an unpredictable value. Specifically, the cookie parameter is both a salt for stored passwords and an XSS protection mechanism.
Max CVSS
7.5
EPSS Score
0.11%
Published
2023-12-31
Updated
2024-01-10
Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.
Max CVSS
4.3
EPSS Score
0.27%
Published
2020-12-10
Updated
2022-04-26
debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group)
Max CVSS
4.3
EPSS Score
0.09%
Published
2020-10-10
Updated
2022-11-08
Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable.
Max CVSS
7.8
EPSS Score
0.05%
Published
2020-10-07
Updated
2022-11-16
Sympa before 6.2.56 allows privilege escalation.
Max CVSS
7.8
EPSS Score
0.09%
Published
2020-05-27
Updated
2022-11-08
The Sympa Community Sympa version prior to version 6.2.32 contains a Directory Traversal vulnerability in wwsympa.fcgi template editing function that can result in Possibility to create or modify files on the server filesystem. This attack appear to be exploitable via HTTP GET/POST request. This vulnerability appears to have been fixed in 6.2.32.
Max CVSS
9.8
EPSS Score
0.41%
Published
2018-06-26
Updated
2020-08-04
The archive management (arc_manage) page in wwsympa/wwsympa.fcgi.in in Sympa before 6.1.11 does not check permissions, which allows remote attackers to list, read, and delete arbitrary list archives via vectors related to the (1) do_arc_manage, (2) do_arc_download, or (3) do_arc_delete functions.
Max CVSS
7.5
EPSS Score
1.42%
Published
2012-05-31
Updated
2012-08-14
Cross-site scripting (XSS) vulnerability in the create list option in Sympa 4.1.x and earlier allows remote authenticated users to inject arbitrary web script or HTML via the description field.
Max CVSS
4.3
EPSS Score
0.29%
Published
2004-08-21
Updated
2017-07-11
8 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!