CVE-2020-12108

Summary: CVE-2020-12108 affects GNU Mailman prior to 2.1.31, allowing Arbitrary Content Injection via the /options/mailman page (and related login/archival areas per advisories). Affected software: Mailman 2.1.x series before 2.1.31. Root cause / vector: improper handling on the options/login pat...

CVE-2020-15011

CVE-2020-15011 affects GNU Mailman prior to 2.1.33. The vulnerability allows arbitrary content injection via the Cgi/private.py private archive login page. Affected product: GNU Mailman 2.1.x (before 2.1.33). Impact described in sources as arbitrary content injection, with other related CVEs ofte...

CVE-2021-44227

GNU Mailman 2.1.x prior to 2.1.38 is affected by CVE-2021-44227, allowing a list member or moderator to obtain a CSRF token and craft an admin request that can change settings or reset the admin password, potentially leading to admin takeover. Multiple advisories confirm the issue across distribu...

CVE-2021-42096

CVE-2021-42096 affects GNU Mailman before 2.1.35 where a CSRF token is derived from the admin password, enabling offline brute-force attacks and contributing to remote privilege escalation. Related advisories (CVE-2021-42097, CVE-2021-44227) describe additional CSRF/token issues and password-rela...

CVE-2021-42097

GNU Mailman 2.1.x before 2.1.35 is affected by a CSRF/token bypass vulnerability (CVE-2021-42097) where a csrf_token value is not bound to a single user, enabling a CSRF attack against an admin that can lead to admin account takeover. The issue arises from CSRF protection weaknesses on the user o...

CVE-2018-5950

CVE-2018-5950 affects Mailman web UI: a cross-site scripting (XSS) vulnerability that can be triggered via a crafted user-options URL to inject arbitrary script/HTML. Affected: Mailman 2.1.x up to 2.1.25 (before 2.1.26). Impact per sources: remote attacker can execute script in user context; info...

CVE-2018-13796

CVE-2018-13796 affects GNU Mailman up to version 2.1.27 (pre-2.1.28). A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site, via mishandling of list/URL content in the web UI. Connected advisories confirm this alongside CVE-2018-0618 (XSS) in Mailman. Remediatio...

CVE-2021-43331

GNU Mailman before 2.1.36 is affected. A crafted URL to the Cgi/options.py user options page can trigger cross-site scripting (XSS) by executing arbitrary JavaScript. Public sources confirm fixes in Mailman 2.1.36 and later; apply the upgrade to mitigate. The documentation also references related...

CVE-2021-43332

CVE-2021-43332 affects GNU Mailman before 2.1.36. The CSRF token on Cgi/admindb.py admindb page contains an encrypted version of the list admin password, which could potentially be cracked by a moderator via offline brute-force. Documents correlate this with other Mailman issues (e.g., CVE-2021-4...

CVE-2021-34337

Affected software: Mailman Core before 3.3.5. Vulnerability: REST API timing attack could allow an attacker with local access to deduce the configured REST API password and then perform arbitrary REST API calls. The REST API is bound to localhost by default, but can be configured to listen on oth...

CVE-2002-0389

CVE-2002-0389 concerns Pipermail in Mailman, where private mail messages are stored with predictable filenames in a world-executable directory, allowing local users to read private mailing list archives. The connected advisories corroborate the issue within Mailman and reference multiple CVEs (no...

CVE-2001-0884

CVE-2001-0884 is a cross-site scripting vulnerability in the Mailman email archiver prior to version 2.08. The issue allows attackers to obtain sensitive information or authentication credentials via a malicious link that is accessed by other web users. The provided documents do not include remed...