Mandriva Linux Security Advisory 2011-036 - Multiple cross-site scripting vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the username field in a confirmation message.
ea5c67f8416addc10d7426c9a007de08e8c3a2a7563158dfc18282c74b813aa4
Ubuntu Security Notice 1069-1 - It was discovered that Mailman did not properly sanitize certain fields, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain.
fdba9a23075e131a564baf3270fe1ab05ec54aef3f93be54371d55937b4d212a
Debian Linux Security Advisory 2170-1 - Two cross site scripting vulnerabilities were been discovered in Mailman, a web-based mailing list manager. These allowed an attacker to retrieve session cookies via inserting crafted JavaScript into confirmation messages (CVE-2011-0707) and in the list admin interface (CVE-2010-3089; oldstable only).
bf4c1ab6425684582dd00c580956547795a061ac12e8a962764fb21a775b50ee