Mailman: Cross-site scripting vulnerability — GLSA 200501-29

Mailman is vulnerable to cross-site scripting attacks.

Affected Packages

net-mail/mailman on all architectures
Affected versions < 2.1.5-r3
Unaffected versions >= 2.1.5-r3

Background

Mailman is a Python-based mailing list server with an extensive web interface.

Description

Florian Weimer has discovered a cross-site scripting vulnerability in the error messages that are produced by Mailman.

Impact

By enticing a user to visiting a specially-crafted URL, an attacker can execute arbitrary script code running in the context of the victim's browser.

Workaround

There is no known workaround at this time.

Resolution

All Mailman users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-mail/mailman-2.1.5-r3"

References

Release Date
January 22, 2005

Latest Revision
January 22, 2005: 01

Severity
low

Exploitable
remote

Bugzilla entries