mailman · threatengine.sh

CVE-2025-43921

>= 2.1.1 and <= 2.1.39

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to create lists via the /mailman/create endpo

5.3MEDIUM

CVE-2025-43920

>= 2.1.1 and <= 2.1.39

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers

5.4MEDIUM

CVE-2025-43919

>= 2.1.1 and <= 2.1.39

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to read arbitrary files via ../ directory tra

5.8MEDIUM

CVE-2021-34337

< 3.3.5

An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determin

6.3MEDIUM

CVE-2021-44227

< 2.1.38

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set

8.8HIGH

CVE-2021-43332

< 2.1.36

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin p

6.5MEDIUM

CVE-2021-43331

< 2.1.36

In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.

6.1MEDIUM

CVE-2021-42097

< 2.1.35

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An a

8.0HIGH

CVE-2021-42096

< 2.1.35

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, an

4.3MEDIUM

CVE-2020-15011

< 2.1.33

GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.

4.3MEDIUM

CVE-2020-12108

< 2.1.31

/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.

6.5MEDIUM

CVE-2020-12137

>= 2.0 and < 2.1.30

GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribu

6.1MEDIUM

CVE-2019-3693

< 2.1.15-9.6.15.1

A symlink following vulnerability in the packaging of mailman in SUSE Linux Enterprise Server 11, SUSE Linux Enterprise Server 12;

7.7HIGH

CVE-2018-0618

<= 2.1.26

Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web scr

5.4MEDIUM

CVE-2018-13796

< 2.1.28

An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a

6.5MEDIUM

CVE-2018-5950

< 2.1.26

Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web sc

6.1MEDIUM

CVE-2016-7123

<= 2.1.14

Cross-site request forgery (CSRF) vulnerability in the admin web interface in GNU Mailman before 2.1.15 allows remote attackers to

8.8HIGH

CVE-2016-6893

all versions

Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attacker

8.8HIGH

CVE-2015-2775

<= 2.1.19

Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute

CVE-2011-5024

all versions

Cross-site scripting (XSS) vulnerability in mmsearch/design in the Mailman/htdig integration patch for Mailman allows remote attac

CVE-2011-0707

<= 2.1.14

Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to

CVE-2010-3089

<= 2.1.13

Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman before 2.1.14rc1 allow remote authenticated users to inject arb

CVE-2009-2164

all versions

Multiple SQL injection vulnerabilities in Kjtechforce mailman beta1, when magic_quotes_gpc is disabled, allow remote attackers to

CVE-2008-0564

<= 2.1.10b

Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web scri

CVE-2006-2191

<= 2.1.8

Format string vulnerability in Mailman before 2.1.9 allows attackers to execute arbitrary code via unspecified vectors. NOTE: the

CVE-2006-4624

<= 2.1.8

CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof messages in the error log and

CVE-2006-3636

all versions

Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.9rc1 allow remote attackers to inject arbitrary web scri

CVE-2006-2941

all versions

Mailman before 2.1.9rc1 allows remote attackers to cause a denial of service via unspecified vectors involving "standards-breaking

CVE-2006-1712

all versions

Cross-site scripting (XSS) vulnerability in the private archive script (private.py) in GNU Mailman 2.1.7 allows remote attackers t

CVE-2006-0052

all versions

The attachment scrubber (Scrubber.py) in Mailman 2.1.5 and earlier, when using Python's library email module 2.5, allows remote at

CVE-2005-4153

all versions

Mailman 2.1.4 through 2.1.6 allows remote attackers to cause a denial of service via a message that causes the server to "fail wit

CVE-2005-3573

all versions

Scrubber.py in Mailman 2.1.5-8 does not properly handle UTF8 character encodings in filenames of e-mail attachments, which allows

CVE-2005-0202

all versions

Directory traversal vulnerability in the true_path function in private.py for Mailman 2.1.5 and earlier allows remote attackers to

CVE-2005-0080

all versions

The 55_options_traceback.dpatch patch for mailman 2.1.5 in Ubuntu 4.10 displays a different error message depending on whether the

CVE-2004-1177

all versions

Cross-site scripting (XSS) vulnerability in the driver script in mailman before 2.1.5 allows remote attackers to inject arbitrary

CVE-2004-1143

all versions

The password generation in mailman before 2.1.5 generates only 5 million unique passwords, which makes it easier for remote attack

CVE-2004-0412

all versions

Mailman before 2.1.5 allows remote attackers to obtain user passwords via a crafted email request to the Mailman server.

CVE-2004-0182

<= 2.0.12

Mailman before 2.0.13 allows remote attackers to cause a denial of service (crash) via an email message with an empty subject fiel

CVE-2003-0991

all versions

Unknown vulnerability in the mail command handler in Mailman before 2.0.14 allows remote attackers to cause a denial of service (c

CVE-2003-0992

<= 2.1.3

Cross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookie

CVE-2003-0965

<= 2.1.4

Cross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session

CVE-2003-0038

all versions

Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 allows remote attackers to inject script or HTML into web p

CVE-2002-0855

all versions

Cross-site scripting vulnerability in Mailman before 2.0.12 allows remote attackers to execute script as other users via a subscri

CVE-2002-0389

all versions

Pipermail in Mailman stores private mail messages with predictable filenames in a world-executable directory, which allows local u

CVE-2002-0388

<= 2.0.11

Cross-site scripting vulnerabilities in Mailman before 2.0.11 allow remote attackers to execute script via (1) the admin login pag

CVE-2001-0884

all versions

Cross-site scripting vulnerability in Mailman email archiver before 2.08 allows attackers to obtain sensitive information or authe

CVE-2001-1132

<= 2.0.5

Mailman 2.0.x before 2.0.6 allows remote attackers to gain access to list administrative pages when there is an empty site or list

CVE-2001-0290

<= 2.0.2

Vulnerability in Mailman 2.0.1 and earlier allows list administrators to obtain user passwords.

CVE-2000-0861

all versions

Mailman 1.1 allows list administrators to execute arbitrary commands via shell metacharacters in the %(listname) macro expansion.

CVE-2000-0701

all versions

The wrapper program in mailman 2.0beta3 and 2.0beta4 does not properly cleanse untrusted format strings, which allows local users

gnu mailman