The LISTSERV® Maintainer's Support FAQ

Description

Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-2018a exists via the /scripts/wa.exe OK parameter.

To test whether or not you are affected by this vulnerability, go to

http://127.0.0.1/scripts/wa.exe?OK=<svg/onload=%26%23097lert%26lpar;'MTK')>

(or replace the localhost address with the FQDN of your LISTSERV server).  If you get a popup alert box in your browser, you are affected.  If instead you see something like this:

OK ?svg/onload=alert(?MTK?)?

Invalid confirmation code  - "?SVG/ONLOAD=&#097LERT&LPAR;?MTK?)?". You must

type the  confirmation code  exactly as  it was  shown in  the confirmation

request. If you have lost it, then just send the command again to get a new

confirmation code.

you do not have the problem.

https://nvd.nist.gov/vuln/detail/CVE-2019-15501

Mitigation

Upgrade to LISTSERV 16.5-2018a or later, which has a fix for this problem.  (However, L-Soft recommends upgrading to the current version, LISTSERV 17.0, at minimum.)

Release notes for LISTSERV 16.5-2018a:  https://www.lsoft.com/manuals/16.5/LISTSERV16.5-2018a_WhatsNew.pdf

Release notes for LISTSERV 17.0:  https://lsoft.com/manuals/17.0/LISTSERV17.0_WhatsNew.pdf