On 9/6/18 10:36 PM, Salvatore Bonaccorso wrote:
> Source: sympa
> Version: 6.2.16~dfsg-3
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/sympa-community/sympa/issues/268
>
> Hi,
>
> The following vulnerability was published for sympa, filled to start
> tracking the upstream issue. AFAIK, there is no fix avaialbe yet.
>
> CVE-2018-1000671[0]:
> | sympa version 6.2.16 and later contains a CWE-601: URL Redirection to
> | Untrusted Site ('Open Redirect') vulnerability in The "referer"
> | parameter of the wwsympa.fcgi login action. that can result in Open
> | redirection and reflected XSS via data URIs. This attack appear to be
> | exploitable via Victim's browser must follow a URL supplied by the
> | attacker. This vulnerability appears to have been fixed in none
> | available.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-1000671
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000671
> [1] https://github.com/sympa-community/sympa/issues/268
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
>
Hello Salvatore,
upstream is working on a fix for this problem, so we can expect a patch in the
next few days.
Regards
Racke
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
