Vulnerability identifier: #VU365
Vulnerability risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-352
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Mailman
Web applications /
Webmail solutions
Vendor: GNU
Description
The vulnerability allows attackers to perform cross-site request forgery attacks.
The vulnerability exists due to incorrect validation of HTTP request origin. A remote attacker can trick the victim to visit a malicious page with CSRF exploit and obtain victim's password.
Successful exploitation of this vulnerability will allow an attacker to compromise vulnerable application.
Mitigation
Update to version 2.1.23.
Vulnerable software versions
Mailman: 2.1.1 - 2.1.22
External links
http:httpwww.gnu.org/software/mailman/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.