PT-2021-22867 · Gnu+2 · Gnu Mailman Postorius+2
Kevin Israel
·
Published
2021-09-09
·
Updated
2024-03-14
·
CVE-2021-40347
CVSS v2.0
5.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
GNU Mailman Postorius versions prior to 1.3.5
Description
An issue was discovered in
views/list.py in GNU Mailman Postorius. An attacker, logged into any account, can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.Recommendations
For versions prior to 1.3.5, update to version 1.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the
views/list.py module to minimize the risk of exploitation. Avoid using the vulnerable functionality in views/list.py until the issue is resolved.Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gnu Mailman Postorius
Linuxmint
Ubuntu