A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site.
Bug #1913241 reported by
Abderrahmane Sahnoun
This bug report is a duplicate of:
Bug #1780874: Arbitrary text injection vulnerability in Mailman CGIs.
Edit
Remove
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
New
|
Undecided
|
Abderrahmane Sahnoun |
Bug Description
A URL with a very long text listname such as
https:/
will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.
This issue was discovered by Abderrahmane Sahnoun <email address hidden>.
same as CVE-2018-13796
CVE References
Changed in mailman: | |
assignee: | nobody → Abderrahmane Sahnoun (xvirusdz) |
description: | updated |
description: | updated |
Changed in mailman: | |
assignee: | Abderrahmane Sahnoun (xvirusdz) → nobody |
description: | updated |
Changed in mailman: | |
assignee: | nobody → Abderrahmane Sahnoun (xvirusdz) |
information type: | Private Security → Public |
To post a comment you must log in.