CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-0618 – mailman: Cross-site scripting vulnerability allows malicious listowners to inject scripts into listinfo pages
https://notcve.org/view.php?id=CVE-2018-0618
16 Jul 2018 — Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en Mailman 2.1.26 y anteriores permite que los atacantes autenticados inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. A cross-site scripting vulnerability (XSS) has been discovered in mailman due to the host_name field not being properly validated. A malicious list owner c... • http://jvn.jp/en/jp/JVN00846677/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13796 – mailman: Mishandled URLs in Utils.py:GetPathPieces() allows attackers to display arbitrary text on trusted sites
https://notcve.org/view.php?id=CVE-2018-13796
12 Jul 2018 — An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site. Se ha descubierto un problema en GNU Mailman en versiones anteriores a la 2.1.28. Una URL manipulada podría provocar que el texto arbitrario se muestre en una página web de un sitio fiable. It was discovered that Mailman incorrectly handled certain inputs. • https://bugs.launchpad.net/mailman/+bug/1780874 • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.1EPSS: 0%CPEs: 20EXPL: 2CVE-2018-5950 – mailman: Cross-site scripting (XSS) vulnerability in web UI
https://notcve.org/view.php?id=CVE-2018-5950
23 Jan 2018 — Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL. Vulnerabilidad de Cross-Site Scripting (XSS) en la interfaz de usuario web en Mailman en versiones anteriores a la 2.1.26 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante una URL user-options. A cross-site scripting (XSS) flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, ... • https://packetstorm.news/files/id/159761 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7123 – Ubuntu Security Notice USN-3118-1
https://notcve.org/view.php?id=CVE-2016-7123
02 Sep 2016 — Cross-site request forgery (CSRF) vulnerability in the admin web interface in GNU Mailman before 2.1.15 allows remote attackers to hijack the authentication of administrators. Vulnerabilidad de CSRF en la interfaz web administrativa en GNU Mailman en versiones anteriores a 2.1.15 permite a atacantes remotos secuestrar la autenticación de administradores. It was discovered that the Mailman administrative web interface did not protect against cross-site request forgery attacks. If an authenticated user were t... • http://www.securityfocus.com/bid/92732 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 46EXPL: 0CVE-2016-6893 – mailman: CSRF protection missing in the user options page
https://notcve.org/view.php?id=CVE-2016-6893
02 Sep 2016 — Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account. Vulnerabilidad de CSRF en la página de opciones de usuario en GNU Mailman 2.1.x en versiones anteriores a 2.1.23 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para peticiones que modific... • http://www.debian.org/security/2016/dsa-3668 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 2%CPEs: 6EXPL: 1CVE-2015-2775 – mailman: directory traversal in MTA transports that deliver programmatically
https://notcve.org/view.php?id=CVE-2015-2775
06 Apr 2015 — Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary files via a .. (dot dot) in a list name. Vulnerabilidad de salto de directorio en GNU Mailman anterior a 2.1.20, cuando no utiliza un alias estático, permite a atacantes remotos ejecutar ficheros arbitrarios a través de un .. (punto punto) en un nombre de lista. It was found that mailman did not sanitize the list name before passing it to certain MTAs. • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154911.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 13EXPL: 0CVE-2011-5024
https://notcve.org/view.php?id=CVE-2011-5024
29 Dec 2011 — Cross-site scripting (XSS) vulnerability in mmsearch/design in the Mailman/htdig integration patch for Mailman allows remote attackers to inject arbitrary web script or HTML via the config parameter. Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en mmsearch/diseño en el Mailman/htdig parche de integración de Mailman permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro de configuración. • https://sitewat.ch/Advisory/View/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 45EXPL: 0CVE-2011-0707 – Mailman: Three XSS flaws due improper escaping of the full name of the member
https://notcve.org/view.php?id=CVE-2011-0707
22 Feb 2011 — Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados(XSS) en CGI/confirm.py en GNU Mailman v2.1.14 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo (1) nombre completo o (2) nombre de usuario en un mensa... • http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 20EXPL: 0CVE-2010-3089 – mailman: Multiple security flaws leading to cross-site scripting (XSS) attacks
https://notcve.org/view.php?id=CVE-2010-3089
15 Sep 2010 — Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman before 2.1.14rc1 allow remote authenticated users to inject arbitrary web script or HTML via vectors involving (1) the list information field or (2) the list description field. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en GNU Mailman anterior a v2.1.14rc1 permite a los usuarios remotos autenticados inyectar código web o HTML a su elección a través de vectores involucrados (1) el campo de infor... • http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2008-0564 – mailman: XSS triggerable by list administrator
https://notcve.org/view.php?id=CVE-2008-0564
05 Feb 2008 — Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) editing templates and (2) the list's "info attribute" in the web administrator interface, a different vulnerability than CVE-2006-3636. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS)en Mailman en versiones anteriores a 2.1.10b1. Permiten a atacantes remotos inyectar scripts wet y HTMLs arbitrarios po... • http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •