SB2020072883 - Ubuntu update for sympa
Published: July 28, 2020 Updated: April 23, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2018-1000550)
The vulnerability allows a remote attacker to create or modify files on the filesystem.
The vulnerability exists due to input validation error when processing directory traversal sequences in wwsympa.fcgi when editing templates. A remote authenticated attacker can send a specially crafted HTTP GET or POST request and edit or create files on the system outside the webroot directory.
2) Cross-site scripting (CVE-ID: CVE-2018-1000671)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via Victim's browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Improper Privilege Management (CVE-ID: CVE-2020-10936)
The vulnerability allows a local authenticated user to escalate privileges.
The vulnerability exists due to improper management of privileges within the application. A local user can gain elevated privileges via unknown vectors.
Remediation
Install update from vendor's website.