ROSA LABROSA-SA-2021-1913Advisory ROSA-SA-2021-1913
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
85.2%
Software: mailman 2.1.15
OS: Cobalt 7.9
CVE-ID: CVE-2016-6893
CVE-Crit: HIGH
CVE-DESC: A cross-site request forgery (CSRF) vulnerability in the user parameter page in GNU Mailman 2.1.x through 2.1.23 allows remote attackers to intercept arbitrary user authentication for requests that modify a parameter, as demonstrated by gaining access to victim account credentials.
CVE-STATUS: Default
CVE-REV: default
CVE-ID: CVE-2016-6893
CVE-Crit: HIGH
CVE-DESC: A cross-site request forgery (CSRF) vulnerability in the user parameter page in GNU Mailman 2.1.x through 2.1.23 allows remote attackers to intercept arbitrary user authentication for requests that modify a parameter, as demonstrated by gaining access to victim account credentials.
CVE-STATUS: Default
CVE-REV: default
CVE-ID: CVE-2018-13796
CVE-Crit: MEDIUM
CVE-DESC: An issue was found in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2018-5950
CVE-Crit: MEDIUM
CVE-DESC: A cross-site scripting (XSS) vulnerability in the Mailman web interface prior to version 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-defined URL.
CVE-STATUS: default
CVE-REV: Default
CVE-ID: CVE-2020-12108
CVE-Crit: MEDIUM
CVE-DESC: /options / mailman in GNU Mailman before 2.1.31 allows the injection of arbitrary content.
CVE-STATUS: Default
CVE-REV: default
CVE-ID: CVE-2020-12137
CVE-Crit: MEDIUM
CVE-DESC: GNU Mailman 2.x before 2.1.30 uses the .obj extension for the cleared parts of the application MIME / octet stream. This behavior can facilitate XSS attacks against archive list visitors, since the HTTP response from the archive web server may not have a MIME type, and the web browser can sniff the MIME, infer that the MIME type should be text / html, and execute JavaScript code.
CVE-STATUS: Default
CVE-REV: default
CVE-ID: CVE-2020-15011
CVE-Crit: MEDIUM
CVE-DESC: GNU Mailman before 2.1.33 allows arbitrary content to be injected via the login page of the private Cgi / private.py archive.
CVE-STATUS: default
CVE-REV: default
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
85.2%