Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account.

According to the versions of the mailman package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before     2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an     option, as demonstrated by gaining access to the credentials of a victim's account. (CVE-2016-6893)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

  - In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request     (using that token) to set a new admin password or make other changes. (CVE-2021-44227)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the mailman package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before     2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an     option, as demonstrated by gaining access to the credentials of a victim's account. (CVE-2016-6893)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the SLSA-2021:4913-1 advisory.

  - mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

  - mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227)

  - mailman: CSRF protection missing in the user options page (CVE-2016-6893)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:4913 advisory.

  - mailman: CSRF protection missing in the user options page (CVE-2016-6893)

  - mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

  - mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-4913 advisory.

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

  - In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request     (using that token) to set a new admin password or make other changes. (CVE-2021-44227)

  - Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before     2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an     option, as demonstrated by gaining access to the credentials of a victim's account. (CVE-2016-6893)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4913 advisory.

  - mailman: CSRF protection missing in the user options page (CVE-2016-6893)

  - mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

  - mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for mailman fixes the following issues :

Security issue fixed :

CVE-2016-6893: Fixed a Cross-site request forgery vulnerability in the admin web interface (bsc#997205).

Following bug was fixed: Allow CSRF check to pass in mailman web frontend if the list name contains a '+' (bsc#1102416)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for mailman fixes the following issues :

Fixed a XSS vulnerability and information leak in user options CGI, which could be used to execute arbitrary scripts in the user's browser via specially encoded URLs (bsc#1077358 CVE-2018-5950)

Fixed a directory traversal vulnerability in MTA transports when using the recommended Mailman Transport for Exim (bsc#925502 CVE-2015-2775)

Fixed a XSS vulnerability, which allowed malicious listowners to inject scripts into the listinfo pages (bsc#1099510 CVE-2018-0618)

Fixed arbitrary text injection vulnerability in several mailman CGIs (CVE-2018-13796 bsc#1101288)

Fixed a CSRF vulnerability on the user options page (CVE-2016-6893 bsc#995352)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New version 2.1.26 (#1370156, #1304360)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for mailman fixes the following security vulnerabilities :

Fixed a XSS vulnerability and information leak in user options CGI, which could be used to execute arbitrary scripts in the user's browser via specially encoded URLs (bsc#1077358 CVE-2018-5950)

Fixed a directory traversal vulnerability in MTA transports when using the recommended Mailman Transport for Exim (bsc#925502 CVE-2015-2775)

Fixed a XSS vulnerability, which allowed malicious listowners to inject scripts into the listinfo pages (bsc#1099510 CVE-2018-0618)

Fixed arbitrary text injection vulnerability in several mailman CGIs (CVE-2018-13796 bsc#1101288)

Fixed a CSRF vulnerability on the user options page (CVE-2016-6893 bsc#995352)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for mailman to version 2.1.15 fixes the following issues :

  - CVE-2016-6893: Prevent cross-site request forgery (CSRF)     vulnerability in the user options page that allowed     remote attackers to hijack the authentication of     arbitrary users for requests that modify an option     (bsc#995352).

  - Various other hardenings against CSFR attacks For     details please see     https://launchpad.net/mailman/+milestone/2.1.15

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Cross-site scripting (XSS) vulnerability in web UI

A cross-site scripting (XSS) flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user's side and force the victim to perform unintended actions. (CVE-2018-5950)

CSRF protection missing in the user options page

Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account. (CVE-2016-6893)

Fix for CVE-2016-6893

----

Security fix for CVE-2018-5950

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Mailman administrative web interface did not protect against cross-site request forgery (CSRF) attacks. If an authenticated user were tricked into visiting a malicious website while logged into Mailman, a remote attacker could perform administrative actions. This issue only affected Ubuntu 12.04 LTS.
(CVE-2016-7123)

Nishant Agarwala discovered that the Mailman user options page did not protect against cross-site request forgery (CSRF) attacks. If an authenticated user were tricked into visiting a malicious website while logged into Mailman, a remote attacker could modify user options. (CVE-2016-6893).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that there was a CSRF vulnerability in mailman, a web-based mailing list manager, which could allow an attacker to obtain a user's password.

It was discovered that there was a CSRF vulnerability in mailman, a web-based mailing list manager, which could allow an attacker to obtain a user's password.

For Debian 7 'Wheezy', this issue has been fixed in mailman version 1:2.1.15-1+deb7u2.

We recommend that you upgrade your mailman packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mark Sapiro reports :

CSRF protection has been extended to the user options page. This was actually fixed by Tokio Kikuchi as part of the fix for LP : #775294 and intended for Mailman 2.1.15, but that fix wasn't completely merged at the time. The full fix also addresses the admindb, and edithtml pages as well as the user options page and the previously fixed admin pages. Thanks to Nishant Agarwala for reporting the issue.

ID	Name	Product	Family	Severity
158470	EulerOS 2.0 SP5 : mailman (EulerOS-SA-2022-1277)	Nessus	Huawei Local Security Checks	high
158309	EulerOS 2.0 SP3 : mailman (EulerOS-SA-2022-1177)	Nessus	Huawei Local Security Checks	high
155949	Scientific Linux Security Update : mailman on SL7.x x86_64 (2021:4913)	Nessus	Scientific Linux Local Security Checks	high
155863	CentOS 7 : mailman (CESA-2021:4913)	Nessus	CentOS Local Security Checks	high
155844	Oracle Linux 7 : mailman (ELSA-2021-4913)	Nessus	Oracle Linux Local Security Checks	high
155833	RHEL 7 : mailman (RHSA-2021:4913)	Nessus	Red Hat Local Security Checks	high
125678	SUSE SLES11 Security Update : mailman (SUSE-SU-2019:14068-1)	Nessus	SuSE Local Security Checks	high
121005	SUSE SLES11 Security Update : mailman (SUSE-SU-2019:13924-1)	Nessus	SuSE Local Security Checks	high
120397	Fedora 28 : 3:mailman (2018-4a699532d3)	Nessus	Fedora Local Security Checks	high
119955	SUSE SLES12 Security Update : mailman (SUSE-SU-2018:4296-1)	Nessus	SuSE Local Security Checks	high
110473	SUSE SLES11 Security Update : mailman (SUSE-SU-2018:1638-1)	Nessus	SuSE Local Security Checks	high
108848	Amazon Linux AMI : mailman (ALAS-2018-985)	Nessus	Amazon Linux Local Security Checks	high
108424	Fedora 27 : 3:mailman (2018-55b7018374)	Nessus	Fedora Local Security Checks	high
94467	Ubuntu 14.04 LTS / 16.04 LTS : Mailman vulnerabilities (USN-3118-1)	Nessus	Ubuntu Local Security Checks	high
93547	Debian DSA-3668-1 : mailman - security update	Nessus	Debian Local Security Checks	high
93320	Debian DLA-608-1 : mailman security update	Nessus	Debian Local Security Checks	high
93211	FreeBSD : mailman -- CSRF protection enhancements (b11ab01b-6e19-11e6-ab24-080027ef73ec)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2016-6893

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high