Source: mailman Version: 1:2.1.25-1 Severity: grave Tags: security upstream
Hi, the following vulnerability was published for mailman, filling for now as grave since no details on the impact nor the fix is public, cf. [1], where it states: > An XSS vulnerability in the Mailman 2.1 web UI has been reported and > assigned CVE-2018-5950 which is not yet public. > > I plan to release Mailman 2.1.26 along with a patch for older releases > to fix this issue on Feb 4, 2018. At that time, full details of the > vulnerability will be public. > > This is advance notice of the upcoming release and patch for those that > need a week or two to prepare. The patch will be small and only affect > one module. CVE-2018-5950[0]: | Cross-site scripting (XSS) vulnerability in the web UI in Mailman | before 2.1.26 allows remote attackers to inject arbitrary web script | or HTML via unspecified vectors. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5950 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950 [1] https://www.mail-archive.com/mailman-users@python.org/msg70375.html Please adjust the affected versions in the BTS as needed, once more details are known. Regards, Salvatore