Published: 02/09/2016 Updated: 13/08/2017

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x prior to 2.1.23 allows remote malicious users to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gnu mailman 2.1.3
gnu mailman 2.1.4
gnu mailman 2.1.10b3
gnu mailman 2.1.10b4
gnu mailman 2.1.10
gnu mailman 2.1.13
gnu mailman 2.1.16
gnu mailman 2.1.18
gnu mailman 2.1.19
gnu mailman 2.1.23
gnu mailman 2.1
gnu mailman 2.1.1
gnu mailman 2.1.2
gnu mailman 2.1.10b1
gnu mailman 2.1.12
gnu mailman 2.1.15
gnu mailman 2.1.21
gnu mailman 2.1.22
gnu mailman 2.1.8
gnu mailman 2.1.9
gnu mailman 2.1.11
gnu mailman 2.1.14
gnu mailman 2.1.18-1
gnu mailman 2.1.20
gnu mailman 2.1.5
gnu mailman 2.1.6
gnu mailman 2.1.14-1
gnu mailman 2.1.17

Debian Bug report logs - #835970 mailman: CVE-2016-6893: CSRF protection needs to be extended to the user options page Package: src:mailman; Maintainer for src:mailman is Mailman for Debian <pkg-mailman-hackers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 29 Aug 2016 15:54 ...

Several security issues were fixed in Mailman ...

It was discovered that there was a CSRF vulnerability in mailman, a web-based mailing list manager, which could allow an attacker to obtain a user's password For the stable distribution (jessie), this problem has been fixed in version 1:2118-2+deb8u1 For the unstable distribution (sid), this problem has been fixed in version 1:2123-1 We reco ...

Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 21x before 2123 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account (CVE-2016-6893) A Cross-Site Request Forgery (CSRF) attack ...

Cross-site scripting (XSS) vulnerability in web UIA cross-site scripting (XSS) flaw was found in mailman An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user's side and force the victim to perform unintended actions (CVE-2018-5950) CSRF protection missing in the user options pageCross-sit ...

Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 21x before 2123 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account ...

CWE-352 https://bugs.launchpad.net/bugs/1614841 http://www.securityfocus.com/bid/92731 http://www.debian.org/security/2016/dsa-3668 http://www.securitytracker.com/id/1036728 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835970 https://usn.ubuntu.com/3118-1/https://nvd.nist.gov

CVE-2016-6893

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect