[Bug 1780874] [NEW] Arbitrary text injection vulnerability in Mailman CGIs

Mark Sapiro mark at msapiro.net
Mon Jul 9 19:16:13 EDT 2018

*** This bug is a security vulnerability ***

Private security bug reported:

A URL with a very long text listname such as


will echo the text in the "No such list" error response. This can be
used to make a potential victim think the phishing text comes from a
trusted site.

** Affects: mailman
     Importance: Low
     Assignee: Mark Sapiro (msapiro)
         Status: In Progress

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  Arbitrary text injection vulnerability in Mailman CGIs

To manage notifications about this bug go to:

More information about the Mailman-coders mailing list