#VU14330 Spoofing attack in Mailman


Published: 2018-08-13

Vulnerability identifier: #VU14330

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-13796

CWE-ID: CWE-451

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mailman
Web applications / Webmail solutions

Vendor: GNU

Description

The vulnerability allows a remote attacker to conduct spoofing attack.

The vulnerability exists due to insufficient input validation. A remote attacker can submit a specially crafted URL and cause arbitrary text to be displayed on a web page from a trusted site.

Mitigation
Update to version 2.1.28.

Vulnerable software versions

Mailman: 1.0 - 2.1b1

External links
http://www.mail-archive.com/mailman-users@python.org/msg71003.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Amazon Linux AMI update for mailman
Oracle Solaris security update for third party software (July 2020)
Ubuntu update for Mailman
Red Hat Enterprise Linux 7 update for mailman
Gentoo update for Mailman
OpenSUSE Linux update for mailman
Information disclosure in GNU Mailman