256 matches found
Privilege Escalation
GNU Mailman allows remote Privilege Escalation. A csrftoken value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin e.g., for account takeover...
Privilege Escalation
GNU Mailman is vulnerable to allow remote Privilege Escalation. A certain csrftoken value is derived from the admin password, and may be useful in conducting a brute-force attack against that password...
Debian DSA-4991-1 : mailman - security update
The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-4991 advisory. - /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. CVE-2020-12108 - GNU Mailman before 2.1.33 allows arbitrary content injection...
Ubuntu 16.04 ESM / 18.04 LTS : Mailman vulnerabilities (USN-5121-1)
The remote Ubuntu 16.04 ESM / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5121-1 advisory. Andre Protas, Richard Cloke, and Andy Nuttall discovered that Mailman did not properly associate cross- site request forgery CSRF tokens to...
CVE-2021-42096
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrftoken value is derived from the admin password, and may be useful in conducting a brute-force attack against that password...
CVE-2021-42097
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrftoken value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin e.g., for account takeover...
CVE-2021-42097
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrftoken value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin e.g., for account takeover...
CVE-2021-42097
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrftoken value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin e.g., for account takeover...
CVE-2021-42097
GNU Mailman 2.1.x before 2.1.35 is affected by a CSRF/token bypass vulnerability (CVE-2021-42097) where a csrf_token value is not bound to a single user, enabling a CSRF attack against an admin that can lead to admin account takeover. The issue arises from CSRF protection weaknesses on the user o...
CVE-2021-42096
CVE-2021-42096 affects GNU Mailman before 2.1.35 where a CSRF token is derived from the admin password, enabling offline brute-force attacks and contributing to remote privilege escalation. Related advisories (CVE-2021-42097, CVE-2021-44227) describe additional CSRF/token issues and password-rela...
CVE-2021-42096
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrftoken value is derived from the admin password, and may be useful in conducting a brute-force attack against that password...
GNU Mailman 跨站请求伪造漏洞
GNU Mailman is a free suite of software from the GNU community for managing e-mail discussions and e-mail lists. The software integrates with Web projects to make it easy for users to manage email subscription accounts and provides built-in archiving, automatic forwarding processing, content...
PT-2021-23524 · Unknown +8 · Gnu Mailman +8
Name of the Vulnerable Software and Affected Versions: GNU Mailman versions prior to 2.1.35 Description: The issue allows remote Privilege Escalation. A csrf token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, an...
UBUNTU-CVE-2021-42097
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrftoken value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin e.g., for account takeover...
PYSEC-2021-319
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker logged into any account can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place...
UBUNTU-CVE-2021-40347
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker logged into any account can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place...
CVE-2021-40347
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker logged into any account can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place...
PYSEC-2021-319
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker logged into any account can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place...
CVE-2021-40347
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker logged into any account can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place...
CVE-2021-40347
The CVE-2021-40347 issue affects GNU Mailman Postorius (views/list.py) for versions before 1.3.5. An authenticated attacker can send a crafted POST request to unsubscribe any user from a mailing list and can reveal whether that address was subscribed. Remediation: upgrade Postorius to 1.3.5 or ne...