Mailman@* Security Vulnerabilities and Issues — Mailman@* CVE List

Lucene search

GnuMailman*

5 matches found

CVE•added 2021/12/02 3:15 a.m.•218 views

CVE-2021-44227

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.

8.8CVSS8.5AI score0.00339EPSS

CVE•added 2021/10/21 1:15 a.m.•213 views

CVE-2021-42097

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

8.5CVSS7.5AI score0.01214EPSS

CVE•added 2021/10/21 1:15 a.m.•208 views

CVE-2021-42096

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.

4.3CVSS5.6AI score0.0039EPSS

CVE•added 2021/11/12 9:15 p.m.•90 views

CVE-2021-43331

In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.

6.1CVSS6.5AI score0.00139EPSS

CVE•added 2021/11/12 9:15 p.m.•79 views

CVE-2021-43332

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.

6.5CVSS6.4AI score0.00144EPSS