Cross-Site Request Forgery in GNU Mailman Postorius Affects User Subscription Management
CVE-2021-40347

5.4MEDIUM

Key Information:

Vendor

Postorius Project

Status
Postorius
Vendor
CVE Published:
10 September 2021

What is CVE-2021-40347?

A security issue was identified in GNU Mailman Postorius before version 1.3.5 that allows an authenticated attacker to send malicious POST requests, leading to unauthorized unsubscriptions from mailing lists. This flaw potentially exposes sensitive information about the subscription status of users, as an attacker can determine whether a specific email address is subscribed to a mailing list. Proper security measures must be implemented to safeguard against such exploits.

References

https://gitlab.com/mailman/postorius/-/issues/531
x_refsource_MISC
https://phabricator.wikimedia.org/T289798
x_refsource_MISC
https://gitlab.com/mailman/postorius/-/tags
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.