GitHub Advisory DatabaseGHSA-V83X-78Q3-GR2JGNU Mailman Postorius Access Control Issues
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
50.4%
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| postorius_project | postorius | * | cpe:2.3:a:postorius_project:postorius:*:*:*:*:*:*:*:* |
References
bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746
github.com/advisories/GHSA-v83x-78q3-gr2j
gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64b7474b
gitlab.com/mailman/postorius/-/issues/531
gitlab.com/mailman/postorius/-/tags
nvd.nist.gov/vuln/detail/CVE-2021-40347
phabricator.wikimedia.org/T289798
www.debian.org/security/2021/dsa-4970
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
50.4%