Justingit

**Name of the Vulnerable Software and Affected Versions** Dada Mail versions 11.15.1 and below **Description** A CSRF vulnerability in Dada Mail allows a bad actor to control the list control panel as if they were logged in themselves. This can be achieved by giving the target a carefully crafted web page via email, SMS, etc. The vulnerability affects profile logins and allows the bad actor to change mailing list passwords and the Dada Mail Root Password, potentially shutting out actual list owners. For this vulnerability to work, the target must be logged into the list control panel. Although no known exploits have happened in the wild, the vulnerability has been confirmed by testing and a third party. **Recommendations** Update to version 11.16.0 to resolve the issue. As a temporary workaround, consider restricting access to the list control panel to minimize the risk of exploitation.