cbcvebase.
CVE-2018-1000671
published 2018-09-06

CVE-2018-1000671: sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the…

PriorityP337medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
3.98%
89.2th percentile
sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs. This attack appear to be exploitable via Victim's browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiansympa< sympa 6.2.36~dfsg-1 (bookworm)sympa 6.2.36~dfsg-1 (bookworm)
sympasympa>= 0 < 6.2.36~dfsg-16.2.36~dfsg-1
sympasympa>= 0 < 6.2.36~dfsg-16.2.36~dfsg-1
sympasympa>= 0 < 6.2.36~dfsg-16.2.36~dfsg-1
sympasympa>= 0 < 6.2.36~dfsg-16.2.36~dfsg-1
sympasympa>= 0 < 6.1.17~dfsg-1ubuntu0.1~esm16.1.17~dfsg-1ubuntu0.1~esm1
sympasympa>= 0 < 6.1.24~dfsg-1ubuntu0.1~esm16.1.24~dfsg-1ubuntu0.1~esm1
sympasympa>= 0 < 6.2.24~dfsg-1ubuntu0.1~esm16.2.24~dfsg-1ubuntu0.1~esm1
sympasympa>= 0 < 6.2.40~dfsg-4ubuntu0.20.04.1~esm16.2.40~dfsg-4ubuntu0.20.04.1~esm1
sympasympa>= 6.2.16

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.