VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 24, 2020· Updated Aug 4, 2024

CVE-2020-15011

CVE-2020-15011

Description

GNU Mailman before 2.1.33 allows arbitrary content injection via the private archive login page when roster visibility is set to 'Anyone'.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GNU Mailman before 2.1.33 allows arbitrary content injection via the private archive login page when roster visibility is set to 'Anyone'.

Vulnerability

GNU Mailman versions before 2.1.33 allow arbitrary content injection via the Cgi/private.py private archive login page. The attack succeeds only if the list's roster visibility (private_roster) setting is 'Anyone' [1]. This is related to a similar bug, but the vector is the private archive login page [1].

Exploitation

The attacker does not need authentication, but the list must have the private_roster setting set to 'Anyone'. The exploit involves sending a specially crafted input to the private archive login page, which then injects arbitrary content [1][2].

Impact

An attacker can inject arbitrary content into the login page, which could lead to phishing, defacement, or other social engineering attacks [2]. The injection is in the context of the web interface, not the server-side environment.

Mitigation

The vulnerability is fixed in GNU Mailman version 2.1.33, which was released on 2020-06-24 [1]. Ubuntu published USN-4406-1 on 2020-06-29, recommending users update to the fixed package versions [2]. No workaround is documented if the patch cannot be applied.

References
  1. Bug #1877379 “Arbitrary Content Injection via the private archiv...” : Bugs : GNU Mailman
  2. USN-4406-1: Mailman vulnerability | Ubuntu security notices | Ubuntu

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

23

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization in the private archive login page allows arbitrary content injection."

Attack vector

An attacker can inject arbitrary content into the private archive login page. The attack succeeds only when the mailing list's `private_roster` setting is configured to 'Anyone' [ref_id=1]. The attacker does not need authentication; they simply craft a malicious request to the private archive login endpoint, and the injected content is rendered in the response.

Affected code

The vulnerability resides in `Cgi/private.py`, the private archive login page. The bug is essentially the same as the one in bug #1873722 but the vector is the private archive login page and the attack only succeeds if the list's roster visibility (`private_roster`) setting is 'Anyone' [ref_id=1].

What the fix does

The patch (attached to the bug report) fixes the content injection by properly sanitizing or escaping user-supplied input before rendering it in the private archive login page [ref_id=1]. The fix ensures that any attacker-controlled data cannot be interpreted as HTML or script content by the browser, closing the injection vector.

Preconditions

  • configThe mailing list's private_roster setting must be 'Anyone'
  • authNo authentication required; the attacker can be unauthenticated
  • networkNetwork access to the private archive login page (Cgi/private.py)
  • inputAttacker supplies crafted input (e.g., via URL parameters or form fields) that is not sanitized

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.