** Description changed:

There is a possibility of a CSRF attack via the user options page which - could allow an attacker to discover a user's password. + could allow an attacker to discover a user's password. Reported by + Nishant Agarwala.

What versions?

All Mailman 2.1.x prior to 2.1.23. However, versions older than 2.1.15 are also vulnerable to CSRF attacks on the admin web interface.

A patch to fix this which is applicable to Mailman >= 2.1.15 and <= 2.1.22 is attached here. This fix has also been released as part of Mailman 2.1.23.

** Attachment added: "Patch for CVE-2016-6893" https://bugs.launchpad.net/mailman/+bug/1614841/+attachment/4732645/+files/p...

Re Comment #3 it appears this has triggered a new CVE-2016-7123 to be issued just based on this one line that Mark Sapiro wrote with no other confirmation than this launchpad bug #1614841, but I wonder if the latter CVE (CVE-2016-7123) is a duplicate of the old CVE-2011-0707, or a new separate issue. Haven't been able to find relevant information so far, and people are also wondering and reporting this elsewhere. https://www.cvedetails.com/cve/CVE-2011-0707/

Related: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212378 <- requesting FreeBSD to list CVE-2016-7123 as a new bug (note that FreeBSD already marked CVE-2016-6893 which covers a wider span of versions).

** Bug watch added: bugs.freebsd.org/bugzilla/ #212378 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212378

** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-0707

** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7123

CVE-2011-0707 is not related to this CSRF issue. It references an XSS vulnerability that was fixed in Mailman 2.1.15 and so noted in the changelog of that release at https://launchpad.net/mailman/2.1/2.1.15

CVE-2016-7123 is a new CVE that apparently just acknowledging the CSRF vulnerability in the admin interface that exists in Mailman prior to 2.1.15. See https://bugs.launchpad.net/mailman/+bug/775294