CVE-2016-6893
Summary
| CVE | CVE-2016-6893 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-09-02 14:59:09 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account. |
Risk And Classification
Primary CVSS: v3.0 8.8 HIGH from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.003400000 probability, percentile 0.566540000 (date 2026-05-06)
Problem Types: CWE-352 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 8.8 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:M/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Gnu | Mailman | 2.1 | All | All | All |
| Application | Gnu | Mailman | 2.1.1 | All | All | All |
| Application | Gnu | Mailman | 2.1.10 | All | All | All |
| Application | Gnu | Mailman | 2.1.10 | rc1 | All | All |
| Application | Gnu | Mailman | 2.1.10b1 | All | All | All |
| Application | Gnu | Mailman | 2.1.10b3 | All | All | All |
| Application | Gnu | Mailman | 2.1.10b4 | All | All | All |
| Application | Gnu | Mailman | 2.1.11 | All | All | All |
| Application | Gnu | Mailman | 2.1.11 | rc1 | All | All |
| Application | Gnu | Mailman | 2.1.11 | rc2 | All | All |
| Application | Gnu | Mailman | 2.1.12 | All | All | All |
| Application | Gnu | Mailman | 2.1.12 | rc1 | All | All |
| Application | Gnu | Mailman | 2.1.12 | rc2 | All | All |
| Application | Gnu | Mailman | 2.1.13 | All | All | All |
| Application | Gnu | Mailman | 2.1.13 | rc1 | All | All |
| Application | Gnu | Mailman | 2.1.14 | All | All | All |
| Application | Gnu | Mailman | 2.1.14 | rc1 | All | All |
| Application | Gnu | Mailman | 2.1.14-1 | All | All | All |
| Application | Gnu | Mailman | 2.1.15 | All | All | All |
| Application | Gnu | Mailman | 2.1.15 | rc1 | All | All |
| Application | Gnu | Mailman | 2.1.16 | All | All | All |
| Application | Gnu | Mailman | 2.1.16 | rc1 | All | All |
| Application | Gnu | Mailman | 2.1.16 | rc2 | All | All |
| Application | Gnu | Mailman | 2.1.16 | rc3 | All | All |
| Application | Gnu | Mailman | 2.1.17 | All | All | All |
| Application | Gnu | Mailman | 2.1.18 | All | All | All |
| Application | Gnu | Mailman | 2.1.18 | rc1 | All | All |
| Application | Gnu | Mailman | 2.1.18 | rc2 | All | All |
| Application | Gnu | Mailman | 2.1.18 | rc3 | All | All |
| Application | Gnu | Mailman | 2.1.18-1 | All | All | All |
| Application | Gnu | Mailman | 2.1.19 | All | All | All |
| Application | Gnu | Mailman | 2.1.19 | rc1 | All | All |
| Application | Gnu | Mailman | 2.1.19 | rc2 | All | All |
| Application | Gnu | Mailman | 2.1.19 | rc3 | All | All |
| Application | Gnu | Mailman | 2.1.2 | All | All | All |
| Application | Gnu | Mailman | 2.1.20 | All | All | All |
| Application | Gnu | Mailman | 2.1.21 | All | All | All |
| Application | Gnu | Mailman | 2.1.21 | rc2 | All | All |
| Application | Gnu | Mailman | 2.1.22 | All | All | All |
| Application | Gnu | Mailman | 2.1.23 | All | All | All |
| Application | Gnu | Mailman | 2.1.3 | All | All | All |
| Application | Gnu | Mailman | 2.1.4 | All | All | All |
| Application | Gnu | Mailman | 2.1.5 | All | All | All |
| Application | Gnu | Mailman | 2.1.6 | All | All | All |
| Application | Gnu | Mailman | 2.1.8 | All | All | All |
| Application | Gnu | Mailman | 2.1.9 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| GNU Mailman CVE-2016-6893 Cross Site Request Forgery Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| Debian -- Security Information -- DSA-3668-1 mailman | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| Mailman Access Control Flaw in User Options Page Lets Remote Users Conduct Cross-Site Request Forgery Attacks - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| Bug #1614841 “CSRF protection needs to be extended to the user o...” : Bugs : GNU Mailman | af854a3a-2127-422b-91ae-364da2661108 | bugs.launchpad.net | Issue Tracking |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159545 Oracle Enterprise Linux Security Update for mailman (ELSA-2021-4913)
- 239928 Red Hat Update for mailman (RHSA-2021:4913)
- 257134 CentOS Security Update for mailman (CESA-2021:4913)
- 353123 Amazon Linux Security Advisory for mailman : ALAS2-2022-1740
- 377175 Alibaba Cloud Linux Security Update for mailman (ALINUX2-SA-2021:0069)
- 671247 EulerOS Security Update for mailman (EulerOS-SA-2022-1177)
- 671336 EulerOS Security Update for mailman (EulerOS-SA-2022-1277)