mailman

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Unknown
Version Removed

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2598 2.1.37-1 2.1.38-1 Medium Fixed
AVG-2552 2.1.35-1 2.1.37-1 Medium Fixed
AVG-2485 2.1.34-2 2.1.35-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2021-44227 AVG-2598 Medium Yes Cross-site request forgery 
In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or...
CVE-2021-43332 AVG-2552 Medium Yes Private key recovery 
In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could...
CVE-2021-43331 AVG-2552 Medium Yes Cross-site scripting 
In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for cross-site scripting (XSS).
CVE-2021-42097 AVG-2485 Medium Yes Cross-site request forgery 
GNU Mailman before 2.1.35 may allow remote privilege escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value...
CVE-2021-42096 AVG-2485 Medium Yes Private key recovery 
GNU Mailman before 2.1.35 may allow remote privilege escalation. A certain csrf_token value is derived from the admin password, and may be useful in...