Vulnerability CVE-2020-29668: Information

Description

Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.

Severity: LOW (3.7) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-29668

Published: Dec. 10, 2020

Modified: Nov. 7, 2023

Error type identifier: CWE-287, CWE-565

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://github.com/sympa-community/sympa/blob/6.2.59b.2/NEWS.md	Release Notes Third Party Advisory
https://github.com/sympa-community/sympa/issues/1041	Exploit Patch Third Party Advisory
https://github.com/sympa-community/sympa/pull/1044	Patch Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020	Mailing List Third Party Advisory
[debian-lts-announce] 20201217 [SECURITY] [DLA 2499-1] sympa security update	Mailing List Third Party Advisory
DSA-4818	Third Party Advisory
FEDORA-2021-a5570c5281
FEDORA-2021-11cb6626e2

Affected configurations:
1. Configuration 1
  cpe:2.3:a:sympa:sympa:6.2.59:beta1:*:*:*:*:*:*
  cpe:2.3:a:sympa:sympa:*:*:*:*:*:*:*:*
  End including
  6.2.58
  
  Configuration 2
  cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Version: v24.5.1

Vulnerability CVE-2020-29668: Information

Description

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3