Vulnerability CVE-2008-0564

Vulnerability Name:

CVE-2008-0564 (CCN-40267)

Assigned:

2008-01-03

Published:

2008-01-03

Updated:

2018-10-15

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) editing templates and (2) the list's "info attribute" in the web administrator interface, a different vulnerability than CVE-2006-3636.

CVSS v3 Severity:

2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

3.5 Low (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.0 Medium (REDHAT CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
3.5 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2008-0564

Source: APPLE
Type: UNKNOWN
APPLE-SA-2010-03-29-1

Source: SUSE
Type: UNKNOWN
SUSE-SR:2008:017

Source: MLIST
Type: UNKNOWN
[Mailman-Announce] 20080203 Mailman 2.1.10b3 Released (was: Re: Mailman 2.1.10b1 Released)

Source: CCN
Type: RHSA-2011-0307
Moderate: mailman security update

Source: CCN
Type: SA28794
Mailman Script Insertion Vulnerability

Source: SECUNIA
Type: UNKNOWN
28794

Source: SECUNIA
Type: UNKNOWN
28916

Source: SECUNIA
Type: UNKNOWN
28966

Source: SECUNIA
Type: UNKNOWN
29249

Source: SECUNIA
Type: UNKNOWN
29388

Source: SECUNIA
Type: UNKNOWN
31687

Source: SECUNIA
Type: UNKNOWN
43549

Source: CCN
Type: SourceForge.net: Files
Mailman - File Release Notes and Changelog - Release Name: Mailman 2.1.10b1

Source: CONFIRM
Type: UNKNOWN
http://sourceforge.net/project/shownotes.php?release_id=559308&group_id=103

Source: CCN
Type: Apple Web site
About the security content of Security Update 2010-002 / Mac OS X v10.6.3

Source: CONFIRM
Type: UNKNOWN
http://support.apple.com/kb/HT4077

Source: CONFIRM
Type: UNKNOWN
http://wiki.rpath.com/Advisories:rPSA-2008-0056

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2008:061

Source: REDHAT
Type: UNKNOWN
RHSA-2011:0307

Source: BUGTRAQ
Type: UNKNOWN
20080215 rPSA-2008-0056-1 mailman

Source: BID
Type: UNKNOWN
27630

Source: CCN
Type: BID-27630
Mailman 'list templates' and 'list info' Multiple HTML Injection Vulnerabilities

Source: CCN
Type: USN-586-1
mailman vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-586-1

Source: VUPEN
Type: UNKNOWN
ADV-2008-0422

Source: VUPEN
Type: UNKNOWN
ADV-2011-0542

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=431526

Source: XF
Type: UNKNOWN
mailman-list-templates-info-xss(40267)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-2207

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-1334

Source: SUSE
Type: SUSE-SR:2008:017
SUSE Security Summary Report

Vulnerable Configuration:

Configuration 1:

cpe:/a:mailman:mailman:*:*:*:*:*:*:*:* (Version <= 2.1.10b)

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Configuration CCN 1:

cpe:/a:gnu:mailman:2.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.5:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.7:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:1.0:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:1.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.10:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.11:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.12:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.13:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.14:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.5:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.6:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.7:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.8:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0.9:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0:beta3:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0:beta4:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.0:beta5:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.1:beta1:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.2:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.5.8:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.6:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.8:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1b1:*:*:*:*:*:*:*

OR cpe:/a:gnu:mailman:2.1.9:*:*:*:*:*:*:*

AND

cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:7.04:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:7.10:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007.1::x86-64:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.5.8:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_eus:5.6.z::server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_long_life:5.6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20080564	V	CVE-2008-0564	2017-09-27
oval:org.mitre.oval:def:17558	P	USN-586-1 -- mailman vulnerability	2014-06-30
oval:org.mitre.oval:def:23255	P	ELSA-2011:0307: mailman security update (Moderate)	2014-05-26
oval:org.mitre.oval:def:21661	P	RHSA-2011:0307: mailman security update (Moderate)	2014-02-24
oval:com.redhat.rhsa:def:20110307	P	RHSA-2011:0307: mailman security update (Moderate)	2011-03-01

BACK