Potential Privilege escalation via the user options page.
Bug #1947639 reported by
Mark Sapiro
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
Medium
|
Mark Sapiro |
Bug Description
The `csrf_token` generated for the `options` page is always an `admin` token rather than specific to the authenticated user for that session. This admin token contains information that is derived from the hashed list admin password, which could theoretically allow a brute-force attack to obtain the list admin password.
Thanks to Andre Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and helping with the development of a fix.
Related branches
CVE References
summary: |
- Potential Privilege escallation via the user options page. + Potential Privilege escalation via the user options page. |
information type: | Private Security → Public Security |
Changed in mailman: | |
status: | In Progress → Fix Released |
To post a comment you must log in.