On 9/6/18 10:36 PM, Salvatore Bonaccorso wrote: > Source: sympa > Version: 6.2.16~dfsg-3 > Severity: important > Tags: security upstream > Forwarded: https://github.com/sympa-community/sympa/issues/268 > > Hi, > > The following vulnerability was published for sympa, filled to start > tracking the upstream issue. AFAIK, there is no fix avaialbe yet. > > CVE-2018-1000671[0]: > | sympa version 6.2.16 and later contains a CWE-601: URL Redirection to > | Untrusted Site ('Open Redirect') vulnerability in The "referer" > | parameter of the wwsympa.fcgi login action. that can result in Open > | redirection and reflected XSS via data URIs. This attack appear to be > | exploitable via Victim's browser must follow a URL supplied by the > | attacker. This vulnerability appears to have been fixed in none > | available. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-1000671 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000671 > [1] https://github.com/sympa-community/sympa/issues/268 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > >
Hello Salvatore, upstream is working on a fix for this problem, so we can expect a patch in the next few days. Regards Racke -- Ecommerce and Linux consulting + Perl and web application programming. Debian and Sympa administration. Provisioning with Ansible.