oss-sec mailing list archives

Re: Possible CVE request: sympa: vulnerability in the web interface

From: cve-assign () mitre org
Date: Thu, 22 Jan 2015 09:28:14 -0500 (EST)


On Tue, 20 Jan 2015, Salvatore Bonaccorso wrote:

Hi

I would like to ask if a CVE could be assigned for the following issue
(it is not clear if upstream has already requested one):
https://www.sympa.org/security_advisories#security_breaches_in_newsletter_posting

The advisory reads:

A vulnerability have been discovered in Sympa web interface that
allows access to files on the server filesystem.

This breach allows to send to a list or a user any file readable by
the Sympa user, located on the server filesystem, using the Sympa web
interface newsletter posting area.


Upstream patch: 
https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.1-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=11562&r2=11778&view=patch

Thanks in advance,

Regards,
Salvatore


Use CVE-2015-1306.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Current thread:

Possible CVE request: sympa: vulnerability in the web interface Salvatore Bonaccorso (Jan 20)
- Re: Possible CVE request: sympa: vulnerability in the web interface cve-assign (Jan 22)