A vulnerability could allow a list moderator to discover the admin password.
Bug #1949403 reported by
Mark Sapiro
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
Undecided
|
Mark Sapiro |
Bug Description
The CSRF token for the admindb page contains an encrypted version of the list admin password which could potentially be cracked by a moderator via an off-line brute force attack.
Related branches
CVE References
Changed in mailman: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
Changed in mailman: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
The patch originally attached to this report created another issue - https:/ /bugs.launchpad .net/mailman/ +bug/1950833
This is a corrected patch