[Owasp-leaders] Mailman script insertion vulnerabilities
magno.logan at owasp.org
Thu Feb 24 04:05:52 EST 2011
"Some vulnerabilities have been reported in Mailman, which can be exploited
by malicious users to conduct script insertion attacks, according to
Input passed via the "full name" is not properly sanitised before being used
in the "Confirm unsubscription request", "Confirm change of email address
request", and "Re-enable mailing list membership" pages.
This can be exploited to insert arbitrary HTML and script code, which will
be executed in a user's browser session in context of an affected site when
the malicious data is being viewed.
The vulnerabilities are reported in version 2.1.14. Other versions may also
A patch is available."
The mailman from my chapter is version 2.1.8. Don't know if everyone has the
same version. But since my version is older than the one affected, I guess
we all are too. Shouldn't we update?
Magno (Logan) Rodrigues
OWASP Paraiba - Chapter Leader <http://www.owasp.org/index.php/Paraiba>
Twitter: @magnologan <http://www.twitter.com/magnologan>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders