Miggo Logo
Miggo Vulnerability Database
CVE-2018-13796

CVE-2018-13796: Moderate severity vulnerability that affects mailman

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-13796
GHSA ID
GHSA-xqvg-xm9m-p2c4
EPSS Score
0.63875%
CWE
CWE-20
Published
9/11/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mailmanpip< 2.1.282.1.28

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in listinfo CGI handling where user-controlled listname parameters are reflected in error messages without proper validation. The primary vulnerable function is the listinfo CGI script that processes URL parameters and generates 'No such list' errors. Secondary consideration given to formatting functions that might handle the reflected text, though direct patch evidence is limited. The analysis combines CVE descriptions, bug report context about long list name handling, and Mailman's architecture patterns for web request processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *NU M*ilm*n ***or* *.*.**. * *r**t** URL **n **us* *r*itr*ry t*xt to ** *ispl*y** on * w** p*** *rom * trust** sit*.

Reasoning

T** vuln*r**ility m*ni**sts in listin*o **I **n*lin* w**r* us*r-*ontroll** listn*m* p*r*m*t*rs *r* r**l**t** in *rror m*ss***s wit*out prop*r v*li**tion. T** prim*ry vuln*r**l* *un*tion is t** listin*o **I s*ript t**t pro**ss*s URL p*r*m*t*rs *n* **n