Mailman script insertion vulnerabilities

Some vulnerabilities have been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks, according to Secunia.

Input passed via the “full name” is not properly sanitised before being used in the “Confirm unsubscription request”, “Confirm change of email address request”, and “Re-enable mailing list membership” pages.

This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed.

The vulnerabilities are reported in version 2.1.14. Other versions may also be affected.

A patch is available.