FreeBSD9D7A2B54-4468-11EC-8532-0D24C37C72C8mailman -- 2.1.37 fixes XSS via user options, and moderator offline brute-force vuln against list admin password
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
70.1%
Mark Sapiro reports:
A potential XSS attack via the user options page has been reported by
Harsh Jaiswal. This is fixed. CVE-2021-43331 (LP: #1949401).
A potential for for a list moderator to carry out an off-line brute force
attack to obtain the list admin password has been reported by Andre
Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.
CVE-2021-43332 (LP: #1949403)
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| FreeBSD | any | noarch | mailman | < 2.1.37 | UNKNOWN |
| FreeBSD | any | noarch | mailman-exim4 | < 2.1.37 | UNKNOWN |
| FreeBSD | any | noarch | mailman-exim4-with-htdig | < 2.1.37 | UNKNOWN |
| FreeBSD | any | noarch | mailman-postfix | < 2.1.37 | UNKNOWN |
| FreeBSD | any | noarch | mailman-postfix-with-htdig | < 2.1.37 | UNKNOWN |
| FreeBSD | any | noarch | mailman-with-htdig | < 2.1.37 | UNKNOWN |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
70.1%