Arbitrary Content Injection via the private archive login page.

Bug #1877379 reported by Mark Sapiro
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
Mark Sapiro

Bug Description

This is essentially the same as except the vector is the private archive login page and the attack only succeeds if the list's roster visibility (private_roster) setting is 'Anyone'.

This is fixed by the attached patch.

Related branches

CVE References

Revision history for this message
Mark Sapiro (msapiro) wrote :
Mark Sapiro (msapiro)
Changed in mailman:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.