The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors.
https://www.sympa.org/security_advisories
http://www.securityfocus.com/bid/72277
http://www.openwall.com/lists/oss-security/2015/01/20/4
http://www.mandriva.com/security/advisories?name=MDVSA-2015:051
http://www.debian.org/security/2015/dsa-3134
http://secunia.com/advisories/62442