Vulnerability identifier: #VU365

Vulnerability risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6893

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mailman
Web applications / Webmail solutions

Vendor: GNU

Description

The vulnerability allows attackers to perform cross-site request forgery attacks.

The vulnerability exists due to incorrect validation of HTTP request origin. A remote attacker can trick the victim to visit a malicious page with CSRF exploit and obtain victim's password.

Successful exploitation of this vulnerability will allow an attacker to compromise vulnerable application.

Mitigation
Update to version 2.1.23.

Vulnerable software versions

Mailman: 2.1.1 - 2.1.22

---

External links
http:httpwww.gnu.org/software/mailman/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.