Vulnerabilities > GNU > Mailman

DATE CVE VULNERABILITY TITLE RISK
2023-04-15 CVE-2021-34337 Unspecified vulnerability in GNU Mailman
An issue was discovered in Mailman Core before 3.3.5.
local
high complexity
gnu
6.3
6.3
2021-12-02 CVE-2021-44227 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.
network
low complexity
gnu debian CWE-352
8.8
8.8
2021-11-12 CVE-2021-43331 Cross-site Scripting vulnerability in multiple products
In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.
network
low complexity
gnu debian CWE-79
6.1
6.1
2021-11-12 CVE-2021-43332 Insufficiently Protected Credentials vulnerability in multiple products
In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password.
network
low complexity
gnu debian CWE-522
6.5
6.5
2021-10-21 CVE-2021-42096 Improper Restriction of Excessive Authentication Attempts vulnerability in multiple products
GNU Mailman before 2.1.35 may allow remote Privilege Escalation.
network
low complexity
gnu debian CWE-307
4.3
4.3
2021-10-21 CVE-2021-42097 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
GNU Mailman before 2.1.35 may allow remote Privilege Escalation.
network
low complexity
gnu debian CWE-352
8.0
8.0
2020-06-24 CVE-2020-15011 Injection vulnerability in multiple products
GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.
network
low complexity
gnu canonical debian CWE-74
4.3
4.3
2020-05-06 CVE-2020-12108 Injection vulnerability in multiple products
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.
network
low complexity
gnu debian fedoraproject opensuse canonical CWE-74
6.5
6.5
2020-04-24 CVE-2020-12137 Cross-site Scripting vulnerability in multiple products
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts.
network
low complexity
gnu debian fedoraproject canonical opensuse CWE-79
6.1
6.1
2018-07-26 CVE-2018-0618 Cross-site Scripting vulnerability in multiple products
Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
network
low complexity
gnu debian CWE-79
5.4
5.4