CVE-2021-44227 |
AVG-2598 |
Medium |
Yes |
Cross-site request forgery |
In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or... |
CVE-2021-43332 |
AVG-2552 |
Medium |
Yes |
Private key recovery |
In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could... |
CVE-2021-43331 |
AVG-2552 |
Medium |
Yes |
Cross-site scripting |
In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for cross-site scripting (XSS). |
CVE-2021-42097 |
AVG-2485 |
Medium |
Yes |
Cross-site request forgery |
GNU Mailman before 2.1.35 may allow remote privilege escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value... |
CVE-2021-42096 |
AVG-2485 |
Medium |
Yes |
Private key recovery |
GNU Mailman before 2.1.35 may allow remote privilege escalation. A certain csrf_token value is derived from the admin password, and may be useful in... |