CVE-2021-46900

2023-12-3105:15:08

Debian Security Bug Tracker

security-tracker.debian.org

cve-2021-46900

sympa

security objectives

cookie parameter

stored passwords

xss protection

unix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

44.3%

JSON

Sympa before 6.2.62 relies on a cookie parameter for certain security objectives, but does not ensure that this parameter exists and has an unpredictable value. Specifically, the cookie parameter is both a salt for stored passwords and an XSS protection mechanism.

OSVersionArchitecturePackageVersionFilename
Debian12allsympa< 6.2.66~dfsg-1sympa_6.2.66~dfsg-1_all.deb
Debian11allsympa<= 6.2.60~dfsg-4sympa_6.2.60~dfsg-4_all.deb
Debian999allsympa< 6.2.66~dfsg-1sympa_6.2.66~dfsg-1_all.deb
Debian13allsympa< 6.2.66~dfsg-1sympa_6.2.66~dfsg-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	sympa	< 6.2.66~dfsg-1	sympa_6.2.66~dfsg-1_all.deb
Debian	11	all	sympa	<= 6.2.60~dfsg-4	sympa_6.2.60~dfsg-4_all.deb
Debian	999	all	sympa	< 6.2.66~dfsg-1	sympa_6.2.66~dfsg-1_all.deb
Debian	13	all	sympa	< 6.2.66~dfsg-1	sympa_6.2.66~dfsg-1_all.deb