Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2018-1000671

Published: 6 September 2018

sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs. This attack appear to be exploitable via Victim's browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available.

Priority

Medium

Cvss 3 Severity Score

6.1

Score breakdown

Status

Package Release Status
sympa
Launchpad, Ubuntu, Debian
trusty
Released (6.1.17~dfsg-1ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
groovy Not vulnerable
(6.2.40~dfsg-1)
hirsute Not vulnerable
(6.2.40~dfsg-1)
kinetic Not vulnerable
(6.2.40~dfsg-1)
bionic
Released (6.2.24~dfsg-1ubuntu0.1~esm1)
Available with Ubuntu Pro
cosmic Ignored
(end of life)
disco Not vulnerable
(6.2.40~dfsg-1)
eoan Not vulnerable
(6.2.40~dfsg-1)
focal Not vulnerable
(6.2.40~dfsg-1)
impish Not vulnerable
(6.2.40~dfsg-1)
jammy Not vulnerable
(6.2.40~dfsg-1)
lunar Not vulnerable
(6.2.40~dfsg-1)
upstream
Released (6.2.36~dfsg-1)
xenial
Released (6.1.24~dfsg-1ubuntu0.1~esm1)
Available with Ubuntu Pro
Patches:
upstream: https://github.com/sympa-community/sympa/commit/03314a9baf7f7903283253829877afd0ae50e325
upstream: https://github.com/sympa-community/sympa/commit/c6ce32a6c203070702eac45a4442a17d2bf7b0c1

Severity score breakdown

Parameter Value
Base score 6.1
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Changed
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N