CERTA-2004-AVI-026
Vulnerability from certfr_avis - Published: - Updated:
Deux vulnérabilités de type cross-site scripting sont présentes dans mailman.
Description
mailman est un logiciel permettant la gestion des listes de diffusion. Un utilisateur mal intentionné peut exploiter deux vulnérabilités afin d'exécuter des scripts sur un poste client accédant à l'application mailman vulnérable au travers de son navigateur (vulnérabilité de type cross-site scripting). Il est alors possible de récupérer les données d'authentification du poste client ou de lire les données transmises au site vulnérable par l'utilisateur.
Solution
Mettre à jour mailman en version 2.1.4. Se référer à la section Documentation pour la mise à jour selon la distribution concernée.
Toutes les versions de mailman antérieures à la version 2.1.4.
Impacted products
| Vendor | Product | Description |
|---|
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cp\u003eToutes les versions de \u003cTT\u003emailman\u003c/TT\u003e ant\u00e9rieures \u00e0 la version 2.1.4.\u003c/p\u003e",
"content": "## Description\n\nmailman est un logiciel permettant la gestion des listes de diffusion.\nUn utilisateur mal intentionn\u00e9 peut exploiter deux vuln\u00e9rabilit\u00e9s afin\nd\u0027ex\u00e9cuter des scripts sur un poste client acc\u00e9dant \u00e0 l\u0027application\nmailman vuln\u00e9rable au travers de son navigateur (vuln\u00e9rabilit\u00e9 de type\ncross-site scripting). Il est alors possible de r\u00e9cup\u00e9rer les donn\u00e9es\nd\u0027authentification du poste client ou de lire les donn\u00e9es transmises au\nsite vuln\u00e9rable par l\u0027utilisateur.\n\n## Solution\n\nMettre \u00e0 jour mailman en version 2.1.4. Se r\u00e9f\u00e9rer \u00e0 la section\nDocumentation pour la mise \u00e0 jour selon la distribution concern\u00e9e.\n",
"cves": [],
"links": [
{
"title": "Avis de s\u00e9curit\u00e9 RedHat RHSA-2004:156 :",
"url": "http://rhn.redhat.com/errata/RHSA-2004-156.html"
},
{
"title": "Avis de s\u00e9curit\u00e9 SGI 20040201-01-U du 11 f\u00e9vrier 2004 :",
"url": "ftp://patches.sgi.com/support/free/security/advisories/20040201-01-U.asc"
},
{
"title": "Site internet de mailman :",
"url": "http://www.list.org"
},
{
"title": "Mise \u00e0 jour de s\u00e9curit\u00e9 du paquetage NetBSD mailman :",
"url": "ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities"
},
{
"title": "Quatre avis de s\u00e9curit\u00e9 FreeBSD du 25 f\u00e9vrier 2004 :",
"url": "http://www.vuxml.org/freebsd/"
},
{
"title": "Avis de s\u00e9curit\u00e9 RedHat RHSA-2004:020 :",
"url": "http://rhn.redhat.com/errata/RHSA-2004-020.html"
},
{
"title": "Avis de s\u00e9curit\u00e9 RedHat RHSA-2004:019 :",
"url": "http://rhn.redhat.com/errata/RHSA-2004-019.html"
},
{
"title": "Avis de s\u00e9curit\u00e9 Debian DSA-436 : \nLe correctif propos\u00e9 par Debian dans l\u0027avis DSA-436 introduitune nouvelle vuln\u00e9rabilit\u00e9.",
"url": "http://www.debian.org/security/2004/dsa-436"
},
{
"title": "Avis de s\u00e9curit\u00e9 Mandrake MDKSA-2004:013 :",
"url": "http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:013"
},
{
"title": "Avis de s\u00e9curit\u00e9 SGI 20040404-01-U du 21 avril 2004 :",
"url": "ftp://patches.sgi.com/support/free/security/advisories/20040404-01-U.asc"
},
{
"title": "Avis de s\u00e9curit\u00e9 SUSE SuSE:2004:008 su 14 avril 2004 :",
"url": "http://www.suse.com/de/security/2004_08_cvs.html"
}
],
"reference": "CERTA-2004-AVI-026",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2004-02-09T00:00:00.000000"
},
{
"description": "ajout du bulletin de s\u00e9curit\u00e9 de Mandrake.",
"revision_date": "2004-02-16T00:00:00.000000"
},
{
"description": "modification de l\u0027avis Debian. Le pr\u00e9c\u00e9dent correctif Debian (DSA-436-1) introduit une nouvelle vuln\u00e9rabilit\u00e9.",
"revision_date": "2004-02-24T00:00:00.000000"
},
{
"description": "ajout du bulletin de s\u00e9curit\u00e9 de Fedora.",
"revision_date": "2004-03-08T00:00:00.000000"
},
{
"description": "ajout des r\u00e9f\u00e9rences aux bulletins de s\u00e9curit\u00e9 RedHat, SUSE, SGI et ajout d\u0027une nouvelle r\u00e9f\u00e9rence CVE.",
"revision_date": "2004-05-10T00:00:00.000000"
},
{
"description": "ajout des r\u00e9f\u00e9rences aux bulletins de s\u00e9curit\u00e9 FreeBSD et NetBSD.",
"revision_date": "2004-05-12T00:00:00.000000"
}
],
"risks": [
{
"description": "Perte de confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Usurpation d\u0027identit\u00e9"
}
],
"summary": "Deux vuln\u00e9rabilit\u00e9s de type cross-site scripting sont pr\u00e9sentes dans\nmailman.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans mailman",
"vendor_advisories": [
{
"published_at": null,
"title": "Avis de s\u00e9curit\u00e9 RedHat RHSA-2004:020-02",
"url": null
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…