Description

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.

Remediation

References

CVE-2021-43332

Related Vulnerabilities

Drupal Core 8.6.x Directory Traversal (8.6.0 - 8.6.15)

WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-3383)

WordPress Plugin Aspose Importer & Exporter Arbitrary File Download (2.0)

WordPress Plugin Quick Contact Form Multiple Vulnerabilities (8.0.3.1)

Magento Incorrect Authorization Vulnerability (CVE-2020-24401)

Severity

Medium

Classification

CVE-2021-43332 CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities