The Sympa Community 2021-01-06 (Update)
A fix is available for defects in the access restriction of Sympa SOAP/HTTP interface.
Defects has been discovered in
authenticateAndRun call of
Sympa SOAP/HTTP interface by which access restriction can be bypassed,
and therefore these things are allowed:
As a result, any SOAP call can be executed.
For more details see References.
This problem does not apply to environments where the SOAP/HTTP server
sympa_soap_server.fcgi) is not running.
Attacker can execute any SOAP call by privileges of any Sympa accounts.
Upgrade Sympa to version 6.2.60 or later
or, if you have installed Sympa using earlier version of source distribution,
Apply a patch:
Patch for Sympa 6.2.28 to 6.2.58: sympa-6.2.58-sa-2020-003-r1.patch
Patch for Sympa 6.2 to 6.2.24: sympa-6.2.24-sa-2020-003-r1.patch
Patch for Sympa 6.1.25: sympa-6.1.25-sa-2020-003-r1.patch
The security flaw was initially reported by Stefan Brenner.
Initial version published.
Solution: Added reference to patches for version 6.2.24 or earlier.
Theme originally designed by orderedlist