On Mon, Apr 21, 2025 at 09:08:33AM -0700, Alan Coopersmith wrote: > 3 new CVE's have been published for GNU Mailman 2.1.39, as bundled with cPanel > and WHM, credited to Firudin Davudzada and Musazada Aydan. > > CVE-2025-43919: Directory Traversal in GNU Mailman 2.1.39 (cPanel/WHM Bundle) > Details/POC: https://github.com/0NYX-MY7H/CVE-2025-43919 […] > CVE-2025-43921: Unauthenticated Mailing List Creation in GNU Mailman 2.1.39 > (cPanel/WHM Bundle) > Details/POC: https://github.com/0NYX-MY7H/CVE-2025-43921
I saw these mentioned earlier and could not reproduce either on a stock 2.1.39 install. Looking at the code that handles the "private" endpoint, it's also hard to see a route from the username POST parameter to path construction. Are these vulnerabilities due to modifications made by the vendor (cPanel LLC) to their distributed version? -Valtteri
