FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  518000
Date:      2019-11-20
Time:      10:57:40Z
Committer: zeising

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
f47f2746-12c5-11dd-bab7-0016179b2dd5mailman -- script insertion vulnerability

Secunia reports:

A vulnerability has been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks.

Certain input when editing the list templates and the list info attribute is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious website is accessed.


Discovery 2008-02-05
Entry 2008-04-25
ja-mailman
mailman
mailman-with-htdig
lt 2.1.10

CVE-2008-0564
27630
http://www.ubuntu.com/usn/usn-586-1
http://secunia.com/advisories/28794
http://sourceforge.net/project/shownotes.php?release_id=593924
b4f0ad36-94a5-11e8-9007-080027ac955cmailman -- content spoofing with invalid list names in web UI

Mark Sapiro reports:

A URL with a very long text listname such as

http://www.example.com/mailman/listinfo/This_is_a_long_string_with_some_phishing_text

will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.

This issue was discovered by Hammad Qureshi.


Discovery 2018-07-09
Entry 2018-07-31
mailman
lt 2.1.28

mailman-with-htdig
lt 2.1.28

ja-mailman
lt 2.1.14.j7_6,1

https://bugs.launchpad.net/mailman/+bug/1780874
https://mail.python.org/pipermail/mailman-announce/2018-July/000241.html
CVE-2018-13796
3d0eeef8-0cf9-11e8-99b0-d017c2987f9aMailman -- Cross-site scripting (XSS) vulnerability in the web UI

Mark Sapiro reports:

An XSS vulnerability in the user options CGI could allow a crafted URL to execute arbitrary javascript in a user's browser. A related issue could expose information on a user's options page without requiring login.


Discovery 2018-01-20
Entry 2018-02-08
mailman
lt 2.1.26

mailman-with-htdig
lt 2.1.26

ja-mailman
le 2.1.14.j7_3,1

https://www.mail-archive.com/mailman-users@python.org/msg70478.html
CVE-2018-5950
8be2e304-cce6-11da-a3b1-00123ffe8333mailman -- Private Archive Script Cross-Site Scripting

Secunia reports:

A vulnerability has been reported in Mailman, which can be exploited by malicious people to conduct cross-site scripting attacks.

Unspecified input passed to the private archive script is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.


Discovery 2006-04-07
Entry 2006-04-16
mailman
ja-mailman
mailman-with-htdig
lt 2.1.8

CVE-2006-1712
http://mail.python.org/pipermail/mailman-announce/2006-April/000084.html
http://secunia.com/advisories/19558/
739948e3-78bf-11e8-b23c-080027ac955cmailman -- hardening against malicious listowners injecting evil HTML scripts

Mark Sapiro reports:

Existing protections against malicious listowners injecting evil scripts into listinfo pages have had a few more checks added.

A few more error messages have had their values HTML escaped.

The hash generated when SUBSCRIBE_FORM_SECRET is set could have been the same as one generated at the same time for a different list and IP address.


Discovery 2018-03-09
Entry 2018-06-25
mailman
lt 2.1.27

mailman-with-htdig
lt 2.1.27

ja-mailman
lt 2.1.14.j7_5,1

https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L8
https://www.mail-archive.com/mailman-users@python.org/
CVE-2018-0618
a5f160fa-deee-11e4-99f8-080027ef73ecmailman -- path traversal vulnerability

Mark Sapiro reports:

A path traversal vulnerability has been discovered and fixed. This vulnerability is only exploitable by a local user on a Mailman server where the suggested Exim transport, the Postfix postfix_to_mailman.py transport or some other programmatic MTA delivery not using aliases is employed.


Discovery 2015-03-27
Entry 2015-04-09
Modified 2015-06-17
mailman
lt 2.1.20

mailman-with-htdig
lt 2.1.20

ja-mailman
lt 2.1.14.j7_2,1

https://mail.python.org/pipermail/mailman-announce/2015-March/000209.html
https://bugs.launchpad.net/mailman/+bug/1437145
CVE-2015-2775
f47f2746-12c5-11dd-bab7-0016179b2dd5mailman -- script insertion vulnerability

Secunia reports:

A vulnerability has been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks.

Certain input when editing the list templates and the list info attribute is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious website is accessed.


Discovery 2008-02-05
Entry 2008-04-25
ja-mailman
mailman
mailman-with-htdig
lt 2.1.10

CVE-2008-0564
27630
http://www.ubuntu.com/usn/usn-586-1
http://secunia.com/advisories/28794
http://sourceforge.net/project/shownotes.php?release_id=593924
fffa9257-3c17-11db-86ab-00123ffe8333mailman -- Multiple Vulnerabilities

Secunia reports:

Mailman can be exploited by malicious people to conduct cross-site scripting and phishing attacks, and cause a DoS (Denial of Service).

1) An error in the logging functionality can be exploited to inject a spoofed log message into the error log via a specially crafted URL.

Successful exploitation may trick an administrator into visiting a malicious web site.

2) An error in the processing of malformed headers which does not follow the RFC 2231 standard can be exploited to cause a DoS (Denial of Service).

3) Some unspecified input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Discovery 2006-06-09
Entry 2006-09-04
Modified 2006-10-04
mailman
ja-mailman
mailman-with-htdig
lt 2.1.9.r1

19831
CVE-2006-2191
CVE-2006-2941
CVE-2006-3636
CVE-2006-4624
http://secunia.com/advisories/21732/
http://sourceforge.net/project/shownotes.php?group_id=103&release_id=444295
8be2e304-cce6-11da-a3b1-00123ffe8333mailman -- Private Archive Script Cross-Site Scripting

Secunia reports:

A vulnerability has been reported in Mailman, which can be exploited by malicious people to conduct cross-site scripting attacks.

Unspecified input passed to the private archive script is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.


Discovery 2006-04-07
Entry 2006-04-16
mailman
ja-mailman
mailman-with-htdig
lt 2.1.8

CVE-2006-1712
http://mail.python.org/pipermail/mailman-announce/2006-April/000084.html
http://secunia.com/advisories/19558/
fffa9257-3c17-11db-86ab-00123ffe8333mailman -- Multiple Vulnerabilities

Secunia reports:

Mailman can be exploited by malicious people to conduct cross-site scripting and phishing attacks, and cause a DoS (Denial of Service).

1) An error in the logging functionality can be exploited to inject a spoofed log message into the error log via a specially crafted URL.

Successful exploitation may trick an administrator into visiting a malicious web site.

2) An error in the processing of malformed headers which does not follow the RFC 2231 standard can be exploited to cause a DoS (Denial of Service).

3) Some unspecified input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Discovery 2006-06-09
Entry 2006-09-04
Modified 2006-10-04
mailman
ja-mailman
mailman-with-htdig
lt 2.1.9.r1

19831
CVE-2006-2191
CVE-2006-2941
CVE-2006-3636
CVE-2006-4624
http://secunia.com/advisories/21732/
http://sourceforge.net/project/shownotes.php?group_id=103&release_id=444295