CVE-2016-6893
HIGHGNU Mailman 2.1.x < 2.1.23 - Cross-Site Request Forgery in User Options Page
Title source: llmDescription
Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account.
References (4)
Core 4
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3668
Issue Tracking x_refsource_confirm
https://bugs.launchpad.net/bugs/1614841
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/92731
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1036728
Scores
CVSS v3
8.8
EPSS
0.0034
EPSS Percentile
56.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (28)
gnu/mailman
2.1
gnu/mailman
2.1.1
gnu/mailman
2.1.2
gnu/mailman
2.1.3
gnu/mailman
2.1.4
gnu/mailman
2.1.5
gnu/mailman
2.1.6
gnu/mailman
2.1.8
gnu/mailman
2.1.9
gnu/mailman
2.1.10 (2 CPE variants)
... and 18 more
Published
Sep 02, 2016
Tracked Since
Feb 18, 2026