Arbitrary Content Injection via the private archive login page.

Bug #1877379 reported by Mark Sapiro on 2020-05-07
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Mark Sapiro

Bug Description

This is essentially the same as except the vector is the private archive login page and the attack only succeeds if the list's roster visibility (private_roster) setting is 'Anyone'.

This is fixed by the attached patch.

Related branches

CVE References

Mark Sapiro (msapiro) wrote :
Mark Sapiro (msapiro) on 2020-05-07
Changed in mailman:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers