#VU14330 Spoofing attack in Mailman - CVE-2018-13796

Cybersecurity Help s.r.o.

Published: 2018-08-13

Vulnerability identifier: #VU14330

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-13796

CWE-ID: CWE-451

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mailman
Web applications / Webmail solutions

Vendor: GNU

Description

The vulnerability allows a remote attacker to conduct spoofing attack.

The vulnerability exists due to insufficient input validation. A remote attacker can submit a specially crafted URL and cause arbitrary text to be displayed on a web page from a trusted site.

Mitigation
Update to version 2.1.28.

Vulnerable software versions

Mailman: 1.0 - 2.1.27

External links
https://www.mail-archive.com/mailman-users@python.org/msg71003.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for mailman

Oracle Solaris security update for third party software (July 2020)

Ubuntu update for Mailman

Red Hat Enterprise Linux 7 update for mailman

Gentoo update for Mailman

OpenSUSE Linux update for mailman

Information disclosure in GNU Mailman

Fedora 28 update for mailman