Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-1000671 — Open Redirect in Sympa

CWE-601 — Open Redirect10 documents7 sources

Severity

6.1MEDIUMNVD

OSV9.8

EPSS

0.6%

top 29.76%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Sympa Debian Sympa Debian Linux

Timeline

PublishedSep 6

Latest updateMay 13

Description

sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs. This attack appear to be exploitable via Victim's browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶debiandebian/sympa< sympa 6.2.36~dfsg-1 (bookworm)

▶Debiansympa/sympa< 6.2.36~dfsg-1+3

▶Ubuntusympa/sympa< 6.1.17~dfsg-1ubuntu0.1~esm1+3

▶NVDsympa/sympa

Also affects: Debian Linux 8.0

🔴Vulnerability Details

GHSA

GHSA-rxx7-mqqx-phw8: sympa version 6↗2022-05-13

▶

OSV

sympa vulnerabilities↗2021-03-15

▶

OSV

sympa vulnerabilities↗2020-07-28

▶

OSV

CVE-2018-1000671: sympa version 6↗2018-09-06

▶

💥Exploits & PoCs

Nuclei

Sympa version =>6.2.16 - Cross-Site Scripting

▶

📋Vendor Advisories

Ubuntu

Sympa vulnerabilities↗2021-03-15

▶

Ubuntu

Sympa vulnerabilities↗2020-07-28

▶

Debian

CVE-2018-1000671: sympa - sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted ...↗2018

▶

🕵️Threat Intelligence

Greynoiseio

NoiseLetter October 2025↗

▶