CVSS: 4.7EPSS: 0%CPEs: 6EXPL: 0CVE-2020-15011 – mailman: arbitrary content injection via the private archive login page
https://notcve.org/view.php?id=CVE-2020-15011
24 Jun 2020 — GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page. GNU Mailman versiones anteriores a 2.1.33, permite una inyección de contenido arbitrario por medio de la página de inicio de sesión del archivo privado Cgi/private.py Several vulnerabilities were discovered in mailman, a web-based mailing list manager, which could result in arbitrary content injection via the options and private archive login pages, and CSRF attacks or privilege escalation via the... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 2%CPEs: 10EXPL: 1CVE-2020-12108 – mailman: arbitrary content injection via the options login page
https://notcve.org/view.php?id=CVE-2020-12108
06 May 2020 — /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. El archivo /options/mailman en GNU Mailman versiones anteriores a 2.1.31, permite una Inyección de Contenido Arbitrario. USN-5009-1 fixed vulnerabilities in Mailman. This update provides the corresponding updates for Ubuntu 20.04 LTS. It was discovered that Mailman allows arbitrary content injection. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2020-12137 – mailman: XSS via file attachments in list archives
https://notcve.org/view.php?id=CVE-2020-12137
24 Apr 2020 — GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code. GNU Mailman versiones 2.x anteriores a la versión 2.1.30, usa una extensión .obj para partes MIME de aplications/octet-stream. Este ... • http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-0618 – mailman: Cross-site scripting vulnerability allows malicious listowners to inject scripts into listinfo pages
https://notcve.org/view.php?id=CVE-2018-0618
16 Jul 2018 — Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en Mailman 2.1.26 y anteriores permite que los atacantes autenticados inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. A cross-site scripting vulnerability (XSS) has been discovered in mailman due to the host_name field not being properly validated. A malicious list owner c... • http://jvn.jp/en/jp/JVN00846677/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13796 – mailman: Mishandled URLs in Utils.py:GetPathPieces() allows attackers to display arbitrary text on trusted sites
https://notcve.org/view.php?id=CVE-2018-13796
12 Jul 2018 — An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site. Se ha descubierto un problema en GNU Mailman en versiones anteriores a la 2.1.28. Una URL manipulada podría provocar que el texto arbitrario se muestre en una página web de un sitio fiable. It was discovered that Mailman incorrectly handled certain inputs. • https://bugs.launchpad.net/mailman/+bug/1780874 • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.1EPSS: 2%CPEs: 20EXPL: 2CVE-2018-5950 – mailman: Cross-site scripting (XSS) vulnerability in web UI
https://notcve.org/view.php?id=CVE-2018-5950
23 Jan 2018 — Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL. Vulnerabilidad de Cross-Site Scripting (XSS) en la interfaz de usuario web en Mailman en versiones anteriores a la 2.1.26 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante una URL user-options. A cross-site scripting (XSS) flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, ... • https://packetstorm.news/files/id/159761 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 46EXPL: 0CVE-2016-6893 – mailman: CSRF protection missing in the user options page
https://notcve.org/view.php?id=CVE-2016-6893
02 Sep 2016 — Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account. Vulnerabilidad de CSRF en la página de opciones de usuario en GNU Mailman 2.1.x en versiones anteriores a 2.1.23 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para peticiones que modific... • http://www.debian.org/security/2016/dsa-3668 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7123 – Ubuntu Security Notice USN-3118-1
https://notcve.org/view.php?id=CVE-2016-7123
02 Sep 2016 — Cross-site request forgery (CSRF) vulnerability in the admin web interface in GNU Mailman before 2.1.15 allows remote attackers to hijack the authentication of administrators. Vulnerabilidad de CSRF en la interfaz web administrativa en GNU Mailman en versiones anteriores a 2.1.15 permite a atacantes remotos secuestrar la autenticación de administradores. It was discovered that the Mailman administrative web interface did not protect against cross-site request forgery attacks. If an authenticated user were t... • http://www.securityfocus.com/bid/92732 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 3%CPEs: 6EXPL: 1CVE-2015-2775 – mailman: directory traversal in MTA transports that deliver programmatically
https://notcve.org/view.php?id=CVE-2015-2775
06 Apr 2015 — Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary files via a .. (dot dot) in a list name. Vulnerabilidad de salto de directorio en GNU Mailman anterior a 2.1.20, cuando no utiliza un alias estático, permite a atacantes remotos ejecutar ficheros arbitrarios a través de un .. (punto punto) en un nombre de lista. It was found that mailman did not sanitize the list name before passing it to certain MTAs. • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154911.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 13EXPL: 0CVE-2011-5024
https://notcve.org/view.php?id=CVE-2011-5024
29 Dec 2011 — Cross-site scripting (XSS) vulnerability in mmsearch/design in the Mailman/htdig integration patch for Mailman allows remote attackers to inject arbitrary web script or HTML via the config parameter. Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en mmsearch/diseño en el Mailman/htdig parche de integración de Mailman permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro de configuración. • https://sitewat.ch/Advisory/View/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •