CVE-2020-12108
Description
The GNU Mailman options login page before version 2.1.31 allows injection of arbitrary HTML content via the email parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The GNU Mailman options login page before version 2.1.31 allows injection of arbitrary HTML content via the email parameter.
Vulnerability
The /options/mailman endpoint in GNU Mailman versions prior to 2.1.31 allows arbitrary content injection via the email POST parameter. This is similar to CVE-2018-13796 but at a different endpoint and parameter. The code path is reachable when an authenticated or unauthenticated user submits a specially crafted form to the options login page. [1], [2], [4]
Exploitation
An attacker can craft an HTML page that includes a form submission to the target Mailman server's /options/mailman endpoint. The form contains a hidden email field with arbitrary HTML and text, such as a phishing message. The victim only needs to open the attacker-supplied HTML page (e.g., via a phishing link) and click the submit button. The browser sends a POST request to the Mailman server, which then reflects the injected content back in the response. [4]
Impact
Successful exploitation allows an attacker to inject arbitrary content (such as phishing links or misleading messages) into the options login page response. This could trick users into disclosing credentials or other sensitive information. The attack is essentially a Content Injection vulnerability and has a medium severity according to the upstream bug report. [3], [4]
Mitigation
The vulnerability is fixed in GNU Mailman version 2.1.31, released on or around May 2020. Ubuntu issued security notice USN-4354-1 providing updated packages for affected Ubuntu releases. Users should upgrade to the latest version to mitigate the risk. No known workarounds exist for unpatched installations. [1], [3]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
23- GNU/Mailmandescription
- osv-coords21 versionspkg:rpm/opensuse/mailman&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/mailman&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/mailman&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/mailman&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/mailman&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/mailman&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/mailman&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/mailman&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/mailman&distro=SUSE%20Package%20Hub%2015%20SP2
< 2.1.29-lp151.3.11.1+ 20 more
- (no CPE)range: < 2.1.29-lp151.3.11.1
- (no CPE)range: < 2.1.34-lp152.7.3.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.17-3.20.1
- (no CPE)range: < 2.1.29-bp151.5.9.1
- (no CPE)range: < 2.1.34-bp152.7.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `email` parameter in the options login page allows arbitrary content injection."
Attack vector
An attacker crafts an HTML page containing a form that POSTs to the victim Mailman instance's `/mailman/options/mailman` endpoint. The `email` parameter is set to a malicious string (e.g., "Your account has been hacked. Kindly go to https://badsite.com or share your credentials at attacker@badsite.com"). When a victim submits the form, the Mailman server reflects this content back in the response page, displaying the attacker's arbitrary message to the victim. This enables phishing attacks where the victim is tricked into believing their account is compromised and is directed to an attacker-controlled site.
Affected code
The vulnerability is in the `/options/mailman` endpoint of GNU Mailman, specifically the options login page. The bug report identifies this as the same class of issue as CVE-2018-13796 but at a different endpoint and parameter.
What the fix does
The fix was released in GNU Mailman version 2.1.31. The advisory does not include a patch diff, but the bug report indicates the issue was resolved in that release. The remediation addresses the lack of input sanitization on the `email` parameter in the options login page, preventing arbitrary content from being injected into the response page.
Preconditions
- inputThe attacker must host a crafted HTML page that the victim visits.
- networkThe victim must submit the form on the attacker's page, sending a POST request to the Mailman server.
- configThe Mailman instance must be publicly accessible and have the options login page enabled.
Reproduction
1. Create an HTML file with the following content (replacing the action URL with the target Mailman instance): ```html
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4354-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2021/dsa-4991mitrevendor-advisoryx_refsource_DEBIAN
- bugs.launchpad.net/mailman/+bug/1873722mitrex_refsource_CONFIRM
- code.launchpad.net/mailmanmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/05/msg00007.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2020/07/msg00007.htmlmitremailing-listx_refsource_MLIST
- mail.python.org/pipermail/mailman-announce/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.