Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.
https://www.debian.org/security/2020/dsa-4818
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JICIHAJKKCZXJNIICUDYXGZFQCN6J4U6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFZWDEKQFW3EH665OECDWIWM2MI7T53Y/
https://lists.debian.org/debian-lts-announce/2020/12/msg00026.html
https://github.com/sympa-community/sympa/pull/1044
https://github.com/sympa-community/sympa/blob/6.2.59b.2/NEWS.md
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020
https://github.com/sympa-community/sympa/issues/1041
Source: Mitre, NVD
Published: 2020-12-10
Updated: 2023-11-07
Base Score: 4.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
Severity: Medium
Base Score: 3.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity: Low
EPSS: 0.01138