Multiple security flaws leading to cross-site scripting (XSS) attacks (execute arbitrary HTML or scripting code) were found in mailman. 1. A security flaw was found in the way Mailman mailing list manager sanitized content of mailing list information HTML template, prior rendering it to the user. A remote mailing list owner could use this flaw to conduct cross-site scripting (XSS) attacks (execute arbitrary HTML or scripting code) when the modified "listinfo" html page is viewed by the user. 2. A security flaw was found in the way Mailman mailing list manager sanitized mailing list description by presenting general mailing list information. A remote mailing list owner could use this flaw to conduct cross-site scripting (XSS) attacks (execute arbitrary HTML or scripting code). References: [1] http://mail.python.org/pipermail/mailman-announce/2010-September/000150.html Acknowledgements: Red Hat would like to thank Mark Sapiro for reporting these flaws.
This issue affects the versions of the mailman package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. -- This issue affects the versions of the mailman package, as shipped with Fedora release of 12 and 13.
Public via: http://mail.python.org/pipermail/mailman-announce/2010-September/000151.html
This issue has been assigned the name CVE-2010-3089.
*** Bug 631859 has been marked as a duplicate of this bug. ***
Created mailman tracking bugs for this issue Affects: fedora-all [bug 633798]
Statement: The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
Created attachment 447625 [details] proposed patch
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:0307 https://rhn.redhat.com/errata/RHSA-2011-0307.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0308 https://rhn.redhat.com/errata/RHSA-2011-0308.html