CVE-2021-43331
Description
GNU Mailman before 2.1.36 is vulnerable to stored XSS via crafted URL on the user options page, enabling arbitrary JavaScript execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GNU Mailman before 2.1.36 is vulnerable to stored XSS via crafted URL on the user options page, enabling arbitrary JavaScript execution.
Vulnerability
An XSS vulnerability exists in GNU Mailman versions prior to 2.1.36. The bug resides in the Cgi/options.py user options page, where a crafted URL can inject arbitrary JavaScript that executes in the context of a user's browser. This occurs because input is not properly sanitized before being reflected in the page response [1][2].
Exploitation
An attacker needs to craft a malicious URL pointing to the user options page and entice a victim (typically a mailing list user or administrator) to click it. No authentication is required for the crafted URL to exploit the flaw; the victim's session will process the injected script when the page loads [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page (e.g., private account settings or CSRF tokens). The attacker gains no direct access to the server but can impersonate the victim within the Mailman application [1][2].
Mitigation
The vulnerability is fixed in GNU Mailman 2.1.36, released on 2021-11-12. For versions prior, users should upgrade immediately, as no other workaround is provided by the vendor. Mailman 2.1.36 is available from Launchpad, GNU FTP, and SourceForge [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15- GNU Mailman/GNU Mailmandescription
- osv-coords13 versionspkg:rpm/suse/mailman&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/mailman&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/mailman&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/mailman&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/mailman&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2.1.17-3.26.1+ 12 more
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
- (no CPE)range: < 2.1.17-3.26.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization in the user options page allows reflected cross-site scripting via crafted URL parameters."
Attack vector
An attacker crafts a malicious URL containing JavaScript payloads and sends it to a victim. When the victim visits the crafted URL pointing to the `Cgi/options.py` user options page, the arbitrary JavaScript executes in the victim's browser context [ref_id=1]. No authentication is required to trigger the reflected XSS, as the payload is delivered via the URL itself.
Affected code
The vulnerability is in the `Cgi/options.py` user options page of GNU Mailman. A crafted URL to this page can execute arbitrary JavaScript, indicating that user-supplied input from the URL is reflected without proper sanitization.
What the fix does
The fix was released in GNU Mailman version 2.1.36. The patch likely introduces proper output encoding or input validation in `Cgi/options.py` to ensure that user-supplied values from the URL are safely escaped before being rendered in the HTML response, preventing script injection.
Preconditions
- inputThe victim must visit a crafted URL pointing to the Cgi/options.py page.
- authNo authentication is required; the attack is reflected XSS via URL parameters.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- bugs.launchpad.net/mailman/+bug/1949401mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2022/06/msg00011.htmlmitremailing-listx_refsource_MLIST
- mail.python.org/archives/list/mailman-announce%40python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.