PT-2020-3002 · Gnu+7 · Gnu Mailman+7

Mark Sapiro

Published

2020-06-08

Updated

2021-12-01

CVE-2020-15011

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions GNU Mailman versions prior to 2.1.33

Description The issue exists due to insufficient input validation in the Cgi/private.py private archive login page of the GNU Mailman mailing list management system. This allows a remote attacker to inject arbitrary content using a specially crafted request.

Recommendations For GNU Mailman versions prior to 2.1.33, update to version 2.1.33 or later to resolve the issue. As a temporary workaround, consider restricting access to the Cgi/private.py private archive login page to minimize the risk of exploitation.

Fix

Code Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-74

Related Identifiers

ALT-PU-2020-2129

ALT-PU-2021-2036

ALT-PU-2021-2340

BDU:2020-03224

CESA-2021_1751

CVE-2020-15011

DLA-2265-1

DLA-2276-1

DSA-4991-1

MGASA-2020-0276

OESA-2021-1405

OPENSUSE-SU-2020:1707-1

OPENSUSE-SU-2020:1752-1

OPENSUSE-SU-2020_1707-1

RHSA-2021:1751

RHSA-2021_1751

RLSA-2021:1751

SUSE-SU-2020:14423-1

SUSE-SU-2020:2048-1

SUSE-SU-2020_14423-1

SUSE-SU-2020_2048-1

USN-4406-1

USN-5121-2

Affected Products

Alt Linux

Centos

Gnu Mailman

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

PT-2020-3002 · Gnu+7 · Gnu Mailman+7

CVE-2020-15011

Weakness Enumeration

Related Identifiers

Affected Products

References · 60