CVE-2002-0855

Mailman - Cross-Site Scripting via Adminpw or Info Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2002-0855. PoCs published by office.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in GNU Mailman where arbitrary HTML and script code are not sanitized from URI parameters in mailing list subscribe scripts. An attacker can craft a malicious link to execute arbitrary JavaScript in the context of a victim's session.

Description

Cross-site scripting vulnerability in Mailman before 2.0.12 allows remote attackers to execute script as other users via a subscriber's list subscription options in the (1) adminpw or (2) info parameters to the ml-name feature.

Exploits (2)

exploitdb WORKING POC VERIFIED
by office · textremotecgi
https://www.exploit-db.com/exploits/21641

This exploit demonstrates a cross-site scripting (XSS) vulnerability in GNU Mailman where arbitrary HTML and script code are not sanitized from URI parameters in mailing list subscribe scripts. An attacker can craft a malicious link to execute arbitrary JavaScript in the context of a victim's session.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: GNU Mailman
No auth needed
Prerequisites: A target running a vulnerable version of GNU Mailman · Victim interaction to click on a malicious link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by office · textremotecgi
https://www.exploit-db.com/exploits/21642

This exploit demonstrates a cross-site scripting (XSS) vulnerability in GNU Mailman by crafting a malicious URL that injects arbitrary JavaScript code into the administrative login page. The script steals the user's cookies by sending them to an attacker-controlled server.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: GNU Mailman (versions affected by CVE-2002-0855)
No auth needed
Prerequisites: Access to the target's Mailman admin interface URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0268.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2002-177.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2002-178.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2002/dsa-147
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/5298
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2002-181.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2002-176.html
Vendor Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/9985.php
Vendor Advisory vendor-advisory x_refsource_conectiva
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000522

Scores

EPSS 0.0611
EPSS Percentile 92.5%

Details

Status published
Products (1)
gnu/mailman 2.0.12
Published Sep 05, 2002
Tracked Since Feb 18, 2026