FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  482299
Date:      2018-10-17
Time:      15:54:15Z
Committer: feld

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
64691c49-4b22-11e0-a226-00e0815b8da8mailman -- XSS vulnerability

CVE reports:

Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message.


Discovery 2011-02-13
Entry 2011-03-10
mailman
lt 2.1.14_1

CVE-2011-0707
http://mail.python.org/pipermail/mailman-announce/2011-February/000157.html
3d0eeef8-0cf9-11e8-99b0-d017c2987f9aMailman -- Cross-site scripting (XSS) vulnerability in the web UI

Mark Sapiro reports:

An XSS vulnerability in the user options CGI could allow a crafted URL to execute arbitrary javascript in a user's browser. A related issue could expose information on a user's options page without requiring login.


Discovery 2018-01-20
Entry 2018-02-08
mailman
lt 2.1.26

mailman-with-htdig
lt 2.1.26

ja-mailman
le 2.1.14.j7_3,1

https://www.mail-archive.com/mailman-users@python.org/msg70478.html
CVE-2018-5950
b11ab01b-6e19-11e6-ab24-080027ef73ecmailman -- CSRF protection enhancements

Mark Sapiro reports:

CSRF protection has been extended to the user options page. This was actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and intended for Mailman 2.1.15, but that fix wasn't completely merged at the time. The full fix also addresses the admindb, and edithtml pages as well as the user options page and the previously fixed admin pages. Thanks to Nishant Agarwala for reporting the issue.


Discovery 2016-08-19
Entry 2016-08-29
mailman
lt 2.1.23

http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1668
https://mail.python.org/pipermail/mailman-announce/2016-August/000226.html
CVE-2016-6893
a5f160fa-deee-11e4-99f8-080027ef73ecmailman -- path traversal vulnerability

Mark Sapiro reports:

A path traversal vulnerability has been discovered and fixed. This vulnerability is only exploitable by a local user on a Mailman server where the suggested Exim transport, the Postfix postfix_to_mailman.py transport or some other programmatic MTA delivery not using aliases is employed.


Discovery 2015-03-27
Entry 2015-04-09
Modified 2015-06-17
mailman
lt 2.1.20

mailman-with-htdig
lt 2.1.20

ja-mailman
lt 2.1.14.j7_2,1

https://mail.python.org/pipermail/mailman-announce/2015-March/000209.html
https://bugs.launchpad.net/mailman/+bug/1437145
CVE-2015-2775
4ab29e12-e787-11df-adfa-00e0815b8da8Mailman -- cross-site scripting in web interface

Secunia reports:

Two vulnerabilities have been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks.

Certain input passed via the list descriptions is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires "list owner" permissions.


Discovery 2010-09-14
Entry 2010-11-03
mailman
lt 2.1.14

43187
CVE-2010-3089
http://secunia.com/advisories/41265
9e50dcc3-740b-11e6-94a2-080027ef73ecmailman -- CSRF hardening in parts of the web interface

The late Tokio Kikuchi reported:

We may have to set lifetime for input forms because of recent activities on cross-site request forgery (CSRF). The form lifetime is successfully deployed in frameworks like web.py or plone etc. Proposed branch lp:~tkikuchi/mailman/form-lifetime implement lifetime in admin, admindb, options and edithtml interfaces. [...]

The web admin interface has been hardened against CSRF attacks by adding a hidden, encrypted token with a time stamp to form submissions and not accepting authentication by cookie if the token is missing, invalid or older than the new mm_cfg.py setting FORM_LIFETIME which defaults to one hour. Posthumous thanks go to Tokio Kikuchi for this implementation [...].


Discovery 2011-05-02
Entry 2016-09-06
mailman
lt 2.1.15

https://bugs.launchpad.net/mailman/+bug/775294
https://launchpad.net/mailman/2.1/2.1.15
CVE-2016-7123
4ab29e12-e787-11df-adfa-00e0815b8da8Mailman -- cross-site scripting in web interface

Secunia reports:

Two vulnerabilities have been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks.

Certain input passed via the list descriptions is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires "list owner" permissions.


Discovery 2010-09-14
Entry 2010-11-03
mailman
lt 2.1.14

43187
CVE-2010-3089
http://secunia.com/advisories/41265
64691c49-4b22-11e0-a226-00e0815b8da8mailman -- XSS vulnerability

CVE reports:

Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message.


Discovery 2011-02-13
Entry 2011-03-10
mailman
lt 2.1.14_1

CVE-2011-0707
http://mail.python.org/pipermail/mailman-announce/2011-February/000157.html