Title: fml Mailing List HTML Injection Vulnerability
Severity: MODERATE
Description:
The fml Mailing List Server is a collection of perl scripts providing mailing list administration functionality for Linux and other systems. It includes support for a web based archive.
When index pages are created for these archives, the characters < and > are not properly escaped in email subject lines. This could lead to the injection of additional HTML tags, altering the appearance of the displayed page.
It is possible that javascript commands could be inserted through the mail subject, exposing anyone viewing the page to a cross-site scripting attack. This may reveal any sensitive information stored in cookie's used by the flm domain.
Earlier versions of flm may share this vulnerability.
Affected Products:
- Debian Linux 2.2.0
- Ken'ichi Fukamachi flm 3.0.0
References:
- Ken'ichi Fukamachi: "fml" Mailing List Server Package
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
