CVE-2009-4896

mlmmj 1.2.15-1.2.17 - Authenticated Path Traversal and Arbitrary File Manipulation via List Name Parameter

Title source: llm
STIX 2.1

Description

Multiple directory traversal vulnerabilities in the mlmmj-php-admin web interface for Mailing List Managing Made Joyful (mlmmj) 1.2.15 through 1.2.17 allow remote authenticated users to overwrite, create, or delete arbitrary files, or determine the existence of arbitrary directories, via a .. (dot dot) in a list name in a (1) edit or (2) save action.

References (11)

Core 11
Core References
Various Sources x_refsource_confirm
http://mlmmj.org/node/84
Patch mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/06/26/1
Issue Tracking x_refsource_confirm
http://bugs.gentoo.org/show_bug.cgi?id=259968
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/06/25/2
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/40658
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/06/23/5
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=607256
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/07/06/1
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/06/23/6
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/07/04/4
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2010/dsa-2073

Scores

EPSS 0.0181
EPSS Percentile 75.9%

Details

CWE
CWE-22
Status published
Products (3)
mlmmj/mlmmj 1.2.15
mlmmj/mlmmj 1.2.16
mlmmj/mlmmj 1.2.17
Published Aug 02, 2010
Tracked Since Feb 18, 2026