rpm package
suse/mailman&distro=SUSE OpenStack Cloud 9
pkg:rpm/suse/mailman&distro=SUSE%20OpenStack%20Cloud%209
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-44227 | — | < 2.1.17-3.26.1 | 2.1.17-3.26.1 | Dec 2, 2021 | In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes. | ||
| CVE-2021-43332 | — | < 2.1.17-3.26.1 | 2.1.17-3.26.1 | Nov 12, 2021 | In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack. | ||
| CVE-2021-43331 | — | < 2.1.17-3.26.1 | 2.1.17-3.26.1 | Nov 12, 2021 | In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS. | ||
| CVE-2021-42096 | — | < 2.1.17-3.26.1 | 2.1.17-3.26.1 | Oct 21, 2021 | GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password. | ||
| CVE-2020-15011 | — | < 2.1.17-3.23.1 | 2.1.17-3.23.1 | Jun 24, 2020 | GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page. |
- CVE-2021-44227Dec 2, 2021affected < 2.1.17-3.26.1fixed 2.1.17-3.26.1
In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.
- CVE-2021-43332Nov 12, 2021affected < 2.1.17-3.26.1fixed 2.1.17-3.26.1
In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.
- CVE-2021-43331Nov 12, 2021affected < 2.1.17-3.26.1fixed 2.1.17-3.26.1
In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.
- CVE-2021-42096Oct 21, 2021affected < 2.1.17-3.26.1fixed 2.1.17-3.26.1
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.
- CVE-2020-15011Jun 24, 2020affected < 2.1.17-3.23.1fixed 2.1.17-3.23.1
GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.