GNU Mailman

A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site.

Bug #1913241 reported by Abderrahmane Sahnoun on 2021-01-26

This bug report is a duplicate of: Bug #1780874: Arbitrary text injection vulnerability in Mailman CGIs. Edit Remove

Affects		Status	Importance	Assigned to	Milestone
	GNU Mailman	New	Undecided	Abderrahmane Sahnoun

A URL with a very long text listname such as
https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phishing_text
will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.

This issue was discovered by Abderrahmane Sahnoun <email address hidden>.
same as CVE-2018-13796

See original description

Abderrahmane Sahnoun (xvirusdz) on 2021-01-26

Changed in mailman:
assignee:	nobody → Abderrahmane Sahnoun (xvirusdz)
description:	updated
description:	updated
Changed in mailman:
assignee:	Abderrahmane Sahnoun (xvirusdz) → nobody

Abderrahmane Sahnoun (xvirusdz) on 2021-01-26

description:	updated
Changed in mailman:
assignee:	nobody → Abderrahmane Sahnoun (xvirusdz)

Mark Sapiro (msapiro) on 2021-01-26

information type:

Private Security → Public

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Bug watches keep track of this bug in other bug trackers.