Vulnerability CVE-2003-0992 - CERT Civis.Net

Vulnerability Name:

CVE-2003-0992 (CCN-14914)

Assigned:

2003-09-27

Published:

2003-09-27

Updated:

2017-10-11

Summary:

Cross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users.

CVSS v3 Severity:

3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2003-0992

Source: CONECTIVA
Type: UNKNOWN
CLA-2004:842

Source: CCN
Type: Conectiva Linux Security Announcement CLSA-2004:842
mailman

Source: CCN
Type: [Mailman-Announce] RELEASED Mailman 2.1.3
RELEASED Mailman 2.1.3

Source: CONFIRM
Type: Patch, Vendor Advisory
http://mail.python.org/pipermail/mailman-announce/2003-September/000061.html

Source: CCN
Type: RHSA-2004-020
Updated mailman packages close cross-site scripting vulnerabilities

Source: CCN
Type: SourceForge.net
Project: Mailman: File List

Source: CCN
Type: CIAC Information Bulletin O-074
Red Hat Cross-site Scripting Vulnerability in Mailman Package

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2004:013

Source: CCN
Type: OSVDB ID: 8351
Mailman create CGI XSS

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2004:020

Source: CCN
Type: BID-10413
GNU Mailman Create Script Unspecified Cross-Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
mailman-createcgi-xss(14914)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:815

Vulnerable Configuration:

Configuration 1:

cpe:/a:gnu:mailman:*:*:*:*:*:*:*:* (Version <= 2.1.3)

Configuration CCN 1:

cpe:/a:gnu:mailman:2.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:1.0:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:1.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.10:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.11:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.12:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.13:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.14:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.5:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.6:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.7:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.8:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.9:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0:beta3:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0:beta4:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0:beta5:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.1:beta1:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.2:*:*:*:*:*:*:*

AND

cpe:/o:conectiva:linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:9.1:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:conectiva:linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:9.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:815	V	Mailman Cross-site Scripting Vulnerability II	2010-09-20