MailMan Webmail 3.0.25 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the alternate_template parameter.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mailman_webmail | Endymion | 3.0 (including) | 3.0 (including) |
| Mailman_webmail | Endymion | 3.0.1 (including) | 3.0.1 (including) |
| Mailman_webmail | Endymion | 3.0.10 (including) | 3.0.10 (including) |
| Mailman_webmail | Endymion | 3.0.11 (including) | 3.0.11 (including) |
| Mailman_webmail | Endymion | 3.0.12 (including) | 3.0.12 (including) |
| Mailman_webmail | Endymion | 3.0.13 (including) | 3.0.13 (including) |
| Mailman_webmail | Endymion | 3.0.14 (including) | 3.0.14 (including) |
| Mailman_webmail | Endymion | 3.0.15 (including) | 3.0.15 (including) |
| Mailman_webmail | Endymion | 3.0.16 (including) | 3.0.16 (including) |
| Mailman_webmail | Endymion | 3.0.18 (including) | 3.0.18 (including) |
| Mailman_webmail | Endymion | 3.0.19 (including) | 3.0.19 (including) |
| Mailman_webmail | Endymion | 3.0.20 (including) | 3.0.20 (including) |
| Mailman_webmail | Endymion | 3.0.21 (including) | 3.0.21 (including) |
| Mailman_webmail | Endymion | 3.0.22 (including) | 3.0.22 (including) |
| Mailman_webmail | Endymion | 3.0.23 (including) | 3.0.23 (including) |
| Mailman_webmail | Endymion | 3.0.24 (including) | 3.0.24 (including) |
| Mailman_webmail | Endymion | 3.0.25 (including) | 3.0.25 (including) |
References
- http://archives.neohapsis.com/archives/bugtraq/2000-12/0057.html
- http://www.endymion.com/products/mailman/history.htm
- http://www.securityfocus.com/bid/2063
- https://exchange.xforce.ibmcloud.com/vulnerabilities/5649
- http://archives.neohapsis.com/archives/bugtraq/2000-12/0057.html
- http://www.endymion.com/products/mailman/history.htm
- http://www.securityfocus.com/bid/2063
- https://exchange.xforce.ibmcloud.com/vulnerabilities/5649