Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P
Vendors Products
Gnu
  • Mailman

Configuration 1 [-]

OR cpe:2.3:a:gnu:mailman:2.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.6:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.8:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.9:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.10:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.10:rc1:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.10b1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.10b3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.10b4:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.11:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.11:rc1:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.11:rc2:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.12:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.12:rc1:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.12:rc2:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.13:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.13:rc1:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.14:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.14:rc1:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.14-1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.15:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.15:rc1:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.16:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.16:rc1:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.16:rc2:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.16:rc3:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.17:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.18:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.18:rc1:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.18:rc2:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.18:rc3:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.18-1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.19:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.19:rc1:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.19:rc2:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.19:rc3:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.20:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.21:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.21:rc2:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.22:*:*:*:*:*:*:*
cpe:2.3:a:gnu:mailman:2.1.23:*:*:*:*:*:*:*
References
Link Resource
http://www.debian.org/security/2016/dsa-3668
http://www.securityfocus.com/bid/92731
http://www.securitytracker.com/id/1036728
https://bugs.launchpad.net/bugs/1614841 Issue Tracking
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2016-09-02T14:00:00

Updated: 2017-08-12T09:57:01

Reserved: 2016-08-19T00:00:00

Link: CVE-2016-6893

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2016-09-02T14:59:09.283

Modified: 2017-08-13T01:29:13.990

Link: CVE-2016-6893

JSON object: View

cve-icon Redhat Information

No data.

CWE