Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) editing templates and (2) the list's "info attribute" in the web administrator interface, a different vulnerability than CVE-2006-3636.

From Red Hat Security Advisory 2011:0307 :

An updated mailman package that fixes multiple security issues is now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mailman is a program used to help manage email discussion lists.

Multiple input sanitization flaws were found in the way Mailman displayed usernames of subscribed users on certain pages. If a user who is subscribed to a mailing list were able to trick a victim into visiting one of those pages, they could perform a cross-site scripting (XSS) attack against the victim. (CVE-2011-0707)

Multiple input sanitization flaws were found in the way Mailman displayed mailing list information. A mailing list administrator could use this flaw to conduct a cross-site scripting (XSS) attack against victims viewing a list's 'listinfo' page. (CVE-2008-0564, CVE-2010-3089)

Red Hat would like to thank Mark Sapiro for reporting the CVE-2011-0707 and CVE-2010-3089 issues.

Users of mailman should upgrade to this updated package, which contains backported patches to correct these issues.

Multiple input sanitization flaws were found in the way Mailman displayed usernames of subscribed users on certain pages. If a user who is subscribed to a mailing list were able to trick a victim into visiting one of those pages, they could perform a cross-site scripting (XSS) attack against the victim. (CVE-2011-0707)

Multiple input sanitization flaws were found in the way Mailman displayed mailing list information. A mailing list administrator could use this flaw to conduct a cross-site scripting (XSS) attack against victims viewing a list's 'listinfo' page. (CVE-2008-0564, CVE-2010-3089)

An updated mailman package that fixes multiple security issues is now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mailman is a program used to help manage email discussion lists.

Multiple input sanitization flaws were found in the way Mailman displayed usernames of subscribed users on certain pages. If a user who is subscribed to a mailing list were able to trick a victim into visiting one of those pages, they could perform a cross-site scripting (XSS) attack against the victim. (CVE-2011-0707)

Multiple input sanitization flaws were found in the way Mailman displayed mailing list information. A mailing list administrator could use this flaw to conduct a cross-site scripting (XSS) attack against victims viewing a list's 'listinfo' page. (CVE-2008-0564, CVE-2010-3089)

Red Hat would like to thank Mark Sapiro for reporting the CVE-2011-0707 and CVE-2010-3089 issues.

Users of mailman should upgrade to this updated package, which contains backported patches to correct these issues.

The remote Redhat Enterprise Linux 4 / 5 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2011:0307 advisory.

  - mailman: XSS triggerable by list administrator (CVE-2008-0564)

  - mailman: Multiple security flaws leading to cross-site scripting (XSS) attacks (CVE-2010-3089)

  - Mailman: Three XSS flaws due improper escaping of the full name of the member (CVE-2011-0707)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2010-002 applied.

This security update contains fixes for the following products :

  - AppKit
  - Application Firewall
  - AFP Server
  - Apache
  - ClamAV
  - CoreTypes
  - CUPS
  - curl
  - Cyrus IMAP
  - Cyrus SASL
  - Disk Images
  - Directory Services
  - Event Monitor
  - FreeRADIUS
  - FTP Server
  - iChat Server
  - Image RAW
  - Libsystem
  - Mail
  - Mailman
  - OS Services
  - Password Server
  - perl
  - PHP
  - PS Normalizer
  - Ruby
  - Server Admin
  - SMB
  - Tomcat
  - unzip
  - vim
  - Wiki Server
  - X11
  - xar

This update of mailman fixes a cross-site scripting bug (CVE-2008-0564) and a mistake in translation.

This update of mailman fixes a cross-site-scripting bug (CVE-2008-0564) and a mistake in translation.

Multiple cross-site scripting (XSS) vulnerabilities were found in Mailman prior to version 2.1.10b1, which allow remote attackers to inject arbitrary web script or HTML via edting templates and the list's info attribute in the web administrator interface.

The updated packages have been patched to correct these issues.

Secunia reports :

A vulnerability has been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks.

Certain input when editing the list templates and the list info attribute is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious website is accessed.

Multiple cross-site scripting flaws were discovered in mailman. A malicious list administrator could exploit this to execute arbitrary JavaScript, potentially stealing user credentials.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Tue Feb 5 2008 Tomas Smetana <tsmetana at redhat.com> -     3:2.1.9-5.3

    - patch for CVE-2008-0564; XSS triggerable by list       administrator

    - Wed Dec 5 2007 Tomas Smetana <tsmetana at redhat.com>
      - 3:2.1.9-5.2

    - more LC_CTYPE fixes

    - Tue Oct 16 2007 Tomas Smetana <tsmetana at redhat.com>
      - 3:2.1.9-5.1

    - fix #333011 -- withlist crashes with NameError

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Tue Feb 5 2008 Tomas Smetana <tsmetana at redhat.com> -     3:2.1.9-8.2

    - patch for CVE-2008-0564; XSS triggerable by list       administrator

    - Thu Jan 10 2008 Tomas Smetana <tsmetana at redhat.com>
      - 3:2.1.9-8.1

    - fix #393911 - mail is not added to the archive

    - Tue Oct 23 2007 Tomas Smetana <tsmetana at redhat.com>
      - 3:2.1.9-8

    - fix #333011 -- withlist crashes with NameError

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
68210	Oracle Linux 4 / 5 : mailman (ELSA-2011-0307)	Nessus	Oracle Linux Local Security Checks	medium
60968	Scientific Linux Security Update : mailman on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
52506	CentOS 4 / 5 : mailman (CESA-2011:0307)	Nessus	CentOS Local Security Checks	medium
52491	RHEL 4 / 5 : mailman (RHSA-2011:0307)	Nessus	Red Hat Local Security Checks	medium
45373	Mac OS X Multiple Vulnerabilities (Security Update 2010-002)	Nessus	MacOS X Local Security Checks	critical
41233	SuSE9 Security Update : mailman (YOU Patch Number 12224)	Nessus	SuSE Local Security Checks	medium
40063	openSUSE Security Update : mailman (mailman-151)	Nessus	SuSE Local Security Checks	medium
36638	Mandriva Linux Security Advisory : mailman (MDVSA-2008:061)	Nessus	Mandriva Local Security Checks	medium
34026	openSUSE 10 Security Update : mailman (mailman-5518)	Nessus	SuSE Local Security Checks	medium
33939	SuSE 10 Security Update : mailman (ZYPP Patch Number 5519)	Nessus	SuSE Local Security Checks	medium
32071	FreeBSD : mailman -- script insertion vulnerability (f47f2746-12c5-11dd-bab7-0016179b2dd5)	Nessus	FreeBSD Local Security Checks	medium
31603	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : mailman vulnerability (USN-586-1)	Nessus	Ubuntu Local Security Checks	medium
31058	Fedora 7 : mailman-2.1.9-5.3 (2008-1356)	Nessus	Fedora Local Security Checks	medium
31057	Fedora 8 : mailman-2.1.9-8.2.fc8 (2008-1334)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2008-0564

medium

Tenable Plugins

medium

medium

medium

medium

critical

medium

medium

medium

medium

medium

medium

medium

medium

medium