Mailman GNU Mailman

stack.watch can notify you when security vulnerabilities are reported in GNU Mailman. You can add multiple products that you use with Mailman to create your own personal software stack watcher.

By the Year

In 2020 there have been 2 vulnerabilities in GNU Mailman with an average score of 6.3 out of ten. Last year Mailman had 0 security vulnerabilities published. That is, 2 more vulnerabilities have already been reported in 2020 as compared to last year.

Year Vulnerabilities Average Score
2020 2 6.30
2019 0 0.00
2018 3 6.00

It may take a day or so for new Mailman vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest GNU Mailman Security Vulnerabilities

/options/mailman in GNU Mailman before 2.1.31

CVE-2020-12108 6.5 - Medium - May 06, 2020

/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.

Downstream Injection

GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts

CVE-2020-12137 6.1 - Medium - April 24, 2020

GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.

XSS

Cross-site scripting vulnerability in Mailman 2.1.26 and earlier

CVE-2018-0618 5.4 - Medium - July 26, 2018

Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

XSS

An issue was discovered in GNU Mailman before 2.1.28

CVE-2018-13796 6.5 - Medium - July 12, 2018

An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site.

Improper Input Validation

Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26

CVE-2018-5950 6.1 - Medium - January 23, 2018

Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL.

XSS