Vulnerability Details : CVE-2011-0707
Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2011-0707
- cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1b1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.1:beta1:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.13:rc1:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1:stable:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1:beta:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.11:rc1:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.11:rc2:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.13:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:mailman:2.1.14:rc1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-0707
2.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-0707
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2011-0707
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-0707
-
http://www.mandriva.com/security/advisories?name=MDVSA-2011:036
mandriva.com
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056399.html
[SECURITY] Fedora 15 Update: mailman-2.1.14-5.fc15
-
http://secunia.com/advisories/43829
Sign in
-
http://www.securityfocus.com/bid/46464
GNU Mailman 'Full name' Field Multiple Cross Site Scripting Vulnerabilities
-
http://osvdb.org/70936
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/65538
GNU Mailman Full name cross-site scripting CVE-2011-0707 Vulnerability Report
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056387.html
[SECURITY] Fedora 14 Update: mailman-2.1.13-7.fc14
-
http://www.vupen.com/english/advisories/2011/0487
Webmail | OVH- OVH
-
http://secunia.com/advisories/43389
Sign inVendor Advisory
-
http://secunia.com/advisories/43580
Sign in
-
http://secunia.com/advisories/43425
Sign inVendor Advisory
-
http://www.vupen.com/english/advisories/2011/0720
Webmail | OVH- OVH
-
http://www.redhat.com/support/errata/RHSA-2011-0307.html
Support
-
http://www.securitytracker.com/id?1025106
Mailman Input Validation Flaw in Full Name Field Permits Cross-Site Scripting Attacks - SecurityTracker
-
http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2011:009
-
http://mail.python.org/pipermail/mailman-announce/2011-February/000157.html
[Mailman-Announce] Mailman Security Patch Announcement
-
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
Apple - Lists.apple.com
-
http://secunia.com/advisories/43549
Sign in
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056363.html
[SECURITY] Fedora 13 Update: mailman-2.1.12-17.fc13
-
http://www.vupen.com/english/advisories/2011/0542
Webmail | OVH- OVH
-
http://lists.opensuse.org/opensuse-updates/2011-05/msg00000.html
openSUSE-SU-2011:0424-1 (low): mailman security update to fix XSS vulner
-
http://www.ubuntu.com/usn/USN-1069-1
USN-1069-1: Mailman vulnerabilities | Ubuntu security notices
-
http://www.vupen.com/english/advisories/2011/0436
Webmail | OVH- OVHVendor Advisory
-
http://secunia.com/advisories/43294
Sign inVendor Advisory
-
http://www.vupen.com/english/advisories/2011/0460
Webmail | OVH- OVHVendor Advisory
-
http://www.redhat.com/support/errata/RHSA-2011-0308.html
Support
-
http://mail.python.org/pipermail/mailman-announce/2011-February/000158.html
[Mailman-Announce] Mailman Security Patch AnnouncementPatch
-
http://www.debian.org/security/2011/dsa-2170
Debian -- Security Information -- DSA-2170-1 mailman
-
http://support.apple.com/kb/HT5002
About the security content of OS X Lion v10.7.2 and Security Update 2011-006 - Apple Support
-
http://www.vupen.com/english/advisories/2011/0435
Webmail | OVH- OVHVendor Advisory
Jump to