2020

CVE-2020-12137 (v3: 6.1) 24 Apr 2020
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.

2019

2018

CVE-2018-18674 (v3: 6.1) 7 Nov 2019
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board tail contents" parameter, aka the adm/board_form_update.php bo_content_tail parameter.
CVE-2018-18678 (v3: 6.1) 30 Oct 2019
GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board group extra contents" parameter, aka the adm/boardgroup_form_update.php gr_1~10 parameter.
CVE-2018-18668 (v3: 6.1) 26 Aug 2019
GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "homepage title" parameter, aka the adm/config_form_update.php cf_title parameter.
CVE-2018-18670 (v3: 6.1) 23 Jul 2019
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/config_form_update.php cf_1~10 parameter.
CVE-2018-18672 (v3: 6.1) 23 Jul 2019
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board head contents" parameter, aka the adm/board_form_update.php bo_content_head parameter.
CVE-2018-18675 (v3: 6.1) 23 Jul 2019
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "mobile board title contents" parameter, aka the adm/board_form_update.php bo_mobile_subject parameter.
CVE-2018-18676 (v3: 6.1) 23 Jul 2019
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "mobile board tail contents" parameter, aka the adm/board_form_update.php bo_mobile_content_tail parameter.
CVE-2018-18671 (v3: 6.1) 23 Jul 2019
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "mobile board head contents" parameter, aka the adm/board_form_update.php bo_mobile_content_head parameter.
CVE-2018-18673 (v3: 6.1) 23 Jul 2019
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Menu Link" parameter, aka the adm/menu_list_update.php me_link parameter.
CVE-2018-18669 (v3: 6.1) 23 Jul 2019
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
CVE-2018-15580 (v3: 6.1) 26 Apr 2019
Cross-Site Scripting (XSS) vulnerability in adm/contentformupdate.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML.
CVE-2018-15581 (v3: 6.1) 26 Apr 2019
Cross-Site Scripting (XSS) vulnerability in adm/faqmasterformupdate.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML.
CVE-2018-15582 (v3: 6.1) 26 Apr 2019
Cross-Site Scripting (XSS) vulnerability in adm/sms_admin/num_book_write.php and adm/sms_admin/num_book_update.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML.
CVE-2018-15584 (v3: 6.1) 26 Apr 2019
Cross-Site Scripting (XSS) vulnerability in adm/boardgroup_form_update.php and adm/boardgroup_list_update.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML.
CVE-2018-15585 (v3: 6.1) 27 Mar 2019
Cross-Site Scripting (XSS) vulnerability in newwinform.php in GNUBOARD5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML via the popup title parameter.
CVE-2018-15583 (v3: 6.1) 25 Mar 2019
Cross-Site Scripting (XSS) vulnerability in point_list.php in GNUBOARD5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML via the popup title parameter.
CVE-2018-0618 (v3: 5.4) 26 Jul 2018
Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2018-5950 (v3: 6.1) 23 Jan 2018
Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL.

2017

CVE-2017-18572 (v3: 6.1) 22 Aug 2019
The gnucommerce plugin before 1.4.2 for WordPress has XSS.

2016

CVE-2016-10920 (v3: 6.1) 22 Aug 2019
The gnucommerce plugin before 0.5.7-BETA for WordPress has XSS.

2015

CVE-2015-3942 (v2: 4.3) 4 Aug 2015
Multiple cross-site scripting (XSS) vulnerabilities in the web-server component in MNS before 4.5.6 on Belden GarrettCom Magnum 6K and Magnum 10K switches allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

2014

2013

2012

CVE-2012-4873 (v2: 4.3) 6 Sep 2012
Cross-site scripting (XSS) vulnerability in the file_download function in GNUBoard before 4.34.21 allows remote attackers to inject arbitrary web script or HTML via the filename parameter.

2011

CVE-2011-5024 (v2: 4.3) 29 Dec 2011
Cross-site scripting (XSS) vulnerability in mmsearch/design in the Mailman/htdig integration patch for Mailman allows remote attackers to inject arbitrary web script or HTML via the config parameter.
CVE-2011-0707 (v2: 4.3) 22 Feb 2011
Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message.