Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-5950

CWE-79 — Cross-site Scripting (XSS)9 documents8 sources

Severity

6.1MEDIUM

EPSS

1.7%

top 17.64%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

GNU Mailman Canonical Ubuntu Linux Debian Debian Linux +6 more

Timeline

PublishedJan 23

Latest updateMay 13

Description

Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶NVDgnu/mailman< 2.1.26

▶Ubuntumailman< 1:2.1.16-2ubuntu0.5+1

▶NVDredhat/enterprise_linux_server6.0, 7.0+1

▶NVDredhat/enterprise_linux_desktop6.0, 7.0+1

▶NVDredhat/enterprise_linux_workstation6.0, 7.0+1

Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10, Enterprise Linux 7.4, 7.6, 7.5

Patches

Patch: bugs.launchpad.net ↗Patch: bugs.launchpad.net ↗

🔴Vulnerability Details

GHSA

GHSA-224g-q27w-pv8f: Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2↗2022-05-13

▶

OSV

CVE-2018-5950: Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2↗2018-01-23

▶

CVEList

CVE-2018-5950: Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2↗2018-01-23

▶

💥Exploits & PoCs

Exploit-DB

Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)↗2020-10-29

▶

📋Vendor Advisories

Ubuntu

Mailman vulnerability↗2018-02-08

▶

Red Hat

mailman: Cross-site scripting (XSS) vulnerability in web UI↗2018-01-20

▶

💬Community

Bugzilla

CVE-2018-5950 mailman: Cross-site scripting (XSS) vulnerability in web UI [fedora-all]↗2018-01-24

▶

Bugzilla

CVE-2018-5950 mailman: Cross-site scripting (XSS) vulnerability in web UI↗2018-01-24

▶