CVE-2020-29668

Name of the Vulnerable Software and Affected Versions: Sympa versions prior to 6.2.59b.2

Description: The issue is related to the authenticateAndRun function in the Sympa mailing list manager, which lacks proper cookie value validation. This allows a remote attacker to gain access to confidential data by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun. This can provide full SOAP API access.

Recommendations: For versions prior to 6.2.59b.2, update to version 6.2.59b.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the authenticateAndRun function until a patch is available.