Subject: Developers of Sympa
List archive
[sympa-developpers] XSS vulnerability found in the Sympa web interface
- From: Martin <address@concealed>
- To: address@concealed
- Subject: [sympa-developpers] XSS vulnerability found in the Sympa web interface
- Date: Wed, 17 May 2017 18:15:34 -0400
Hello Sympa devs,
I'm currently searching for someone of trust to fix an XSS vulnerability
that I have discovered in the web interface of Sympa (latest version).
To who can I send the vulnerability report? I can send it to a public
mailing list if you want, but it isn't recommended to make it public
before releasing a fix.
It's really complicated to enter in contact with someone in private to
report a Sympa vulnerability. I'm suggesting to create a page at [1]
with a point of contact to send future security reports.
Timeline:
- beginning of March 2017: discovery of a XSS vulnerability in Sympa
- 04/03/2017: report sent to address@concealed (the only
list that I found that doesn't have public archives)
- 13/03/2017: reminder sent to address@concealed with
direct copies to address@concealed and address@concealed
- 13/03/2017: auto-response of address@concealed saying that he
doesn't work here anymore
- 13/03/2017: auto-response of address@concealed saying that he
will be back to work the 10/04/2017
- 26/04/2017: reminder sent to address@concealed
- no reply received
Best,
Martin Gubri
[1] https://www.sympa.org/security
-
[sympa-developpers] XSS vulnerability found in the Sympa web interface,
Martin, 05/17/2017
-
Re: [sympa-developpers] XSS vulnerability found in the Sympa web interface,
IKEDA Soji, 05/18/2017
- Re: [sympa-developpers] XSS vulnerability found in the Sympa web interface, Martin, 05/18/2017
-
Re: [sympa-developpers] XSS vulnerability found in the Sympa web interface,
IKEDA Soji, 05/18/2017
Archive powered by MHonArc 2.6.19+.