{"id":"CVE-2016-6893","details":"Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account.","modified":"2026-03-14T09:20:28.320121Z","published":"2016-09-02T14:59:09.283Z","related":["MGASA-2016-0343","SUSE-SU-2018:1638-1","SUSE-SU-2018:4296-1","SUSE-SU-2019:13924-1","SUSE-SU-2019:14068-1","openSUSE-SU-2024:10215-1"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/92731"},{"type":"WEB","url":"http://www.securitytracker.com/id/1036728"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3668"},{"type":"REPORT","url":"https://bugs.launchpad.net/bugs/1614841"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6893.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.3"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.5"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.6"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.8"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.9"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.10"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.10-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.10b1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.10b3"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.10b4"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.11"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.11-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.11-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.12"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.12-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.12-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.13"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.13-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.14"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.14-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.14-1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.15"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.15-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.16"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.16-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.16-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.16-rc3"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.17"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.18"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.18-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.18-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.18-rc3"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.18-1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.19"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.19-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.19-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.19-rc3"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.21"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.21-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.22"}]},{"events":[{"introduced":"0"},{"last_affected":"2.1.23"}]},{"events":[{"introduced":"2.1.x"},{"fixed":"2.1.23"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}