CVE-2009-4896

NameCVE-2009-4896
DescriptionMultiple directory traversal vulnerabilities in the mlmmj-php-admin web interface for Mailing List Managing Made Joyful (mlmmj) 1.2.15 through 1.2.17 allow remote authenticated users to overwrite, create, or delete arbitrary files, or determine the existence of arbitrary directories, via a .. (dot dot) in a list name in a (1) edit or (2) save action.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2073-1
NVD severitymedium (attack range: remote)
Debian Bugs588038

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mlmmj (PTS)wheezy1.2.18.0-2fixed
jessie1.2.18.1-1fixed
stretch1.2.19.0-1fixed
buster, sid1.3.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mlmmjsource(unstable)1.2.17-1.1medium588038
mlmmjsourcelenny1.2.15-1.1+lenny1mediumDSA-2073-1

Search for package or bug name: Reporting problems