GNU Mailman Cross Site Scripting Vulnerability

vendor:

Mailman

by:

SecurityFocus

7.5

CVSS

HIGH

Cross Site Scripting

CWE

Product Name: Mailman

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

GNU Mailman Cross Site Scripting Vulnerability

A vulnerability has been discovered in GNU Mailman. It has been reported that Mailman is prone to cross site scripting attacks. This is due to insufficient santization of URI parameters. As a result, attackers may embed malicious script code or HTML into a link to a site running the vulnerable software. If such a link is followed, the attacker-supplied code will be interpreted in the web browser of the victim of the attack. It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/6677/info

A vulnerability has been discovered in GNU Mailman. It has been reported that Mailman is prone to cross site scripting attacks. This is due to insufficient santization of URI parameters.


As a result, attackers may embed malicious script code or HTML into a link to a site running the vulnerable software. If such a link is followed, the attacker-supplied code will be interpreted in the web browser of the victim of the attack. It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible.

https://www.yourserver.com:443/mailman/options/yourlist?
language=en&email=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>