Published: 12/11/2021 Updated: 07/11/2023

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

In GNU Mailman prior to 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gnu mailman
debian debian linux 9.0

Debian Bug report logs - #1000367 mailman: CVE-2021-43331 (XSS) and CVE-2021-43332 (moderator can discover admin password) Package: mailman; Maintainer for mailman is Mailman for Debian <pkg-mailman-hackers@listsaliothdebianorg>; Source for mailman is src:mailman (PTS, buildd, popcon) Reported by: Thomas Arendsen Hein &lt ...

In GNU Mailman before 2136, a crafted URL to the Cgi/optionspy user options page can execute arbitrary JavaScript for XSS (CVE-2021-43331) In GNU Mailman before 2136, the CSRF token for the Cgi/admindbpy admindb page contains an encrypted version of the list admin password This could potentially be cracked by a moderator via an offline brut ...

In GNU Mailman before 2136, a crafted URL to the Cgi/optionspy user options page can execute arbitrary JavaScript for XSS ...

In GNU Mailman before 2136, a crafted URL to the Cgi/optionspy user options page can execute arbitrary JavaScript for cross-site scripting (XSS) ...

CWE-79 https://bugs.launchpad.net/mailman/+bug/1949401 https://lists.debian.org/debian-lts-announce/2022/06/msg00011.html https://mail.python.org/archives/list/mailman-announce%40python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000367 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALAS-2023-2370.html

CVE-2021-43331

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect