rpm package
opensuse/mailman&distro=openSUSE Leap 15.2
pkg:rpm/opensuse/mailman&distro=openSUSE%20Leap%2015.2
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-42097 | — | < 2.1.35-lp152.7.6.1 | 2.1.35-lp152.7.6.1 | Oct 21, 2021 | GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for ac | ||
| CVE-2021-42096 | — | < 2.1.35-lp152.7.6.1 | 2.1.35-lp152.7.6.1 | Oct 21, 2021 | GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password. | ||
| CVE-2020-15011 | — | < 2.1.34-lp152.7.3.1 | 2.1.34-lp152.7.3.1 | Jun 24, 2020 | GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page. | ||
| CVE-2020-12108 | — | < 2.1.34-lp152.7.3.1 | 2.1.34-lp152.7.3.1 | May 6, 2020 | /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. | ||
| CVE-2020-12137 | — | < 2.1.34-lp152.7.3.1 | 2.1.34-lp152.7.3.1 | Apr 24, 2020 | GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform |
- CVE-2021-42097Oct 21, 2021affected < 2.1.35-lp152.7.6.1fixed 2.1.35-lp152.7.6.1
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for ac
- CVE-2021-42096Oct 21, 2021affected < 2.1.35-lp152.7.6.1fixed 2.1.35-lp152.7.6.1
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.
- CVE-2020-15011Jun 24, 2020affected < 2.1.34-lp152.7.3.1fixed 2.1.34-lp152.7.3.1
GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.
- CVE-2020-12108May 6, 2020affected < 2.1.34-lp152.7.3.1fixed 2.1.34-lp152.7.3.1
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.
- CVE-2020-12137Apr 24, 2020affected < 2.1.34-lp152.7.3.1fixed 2.1.34-lp152.7.3.1
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform