Описание
Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.
Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-29668
- https://github.com/sympa-community/sympa/issues/1041
- https://github.com/sympa-community/sympa/pull/1044
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020
- https://github.com/sympa-community/sympa/blob/6.2.59b.2/NEWS.md
- https://lists.debian.org/debian-lts-announce/2020/12/msg00026.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFZWDEKQFW3EH665OECDWIWM2MI7T53Y
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JICIHAJKKCZXJNIICUDYXGZFQCN6J4U6
- https://www.debian.org/security/2020/dsa-4818
Связанные уязвимости
Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.
Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.
Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API ...
Уязвимость функции authenticateAndRun менеджера электронных списков рассылки Sympa, связанная с недостатком механизма аутентификации, позволяющая нарушителю получить доступ к конфиденциальным данным