CVE-2021-40347

An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
VendorProductVersion
postorius_projectpostorius
𝑥
< 1.3.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
postorius
bullseye (security)
1.3.4-2+deb11u1
fixed
bullseye
1.3.4-2+deb11u1
fixed
bookworm
1.3.8-3
fixed
sid
1.3.10-1
fixed
trixie
1.3.10-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
postorius
kinetic
Fixed 1.3.5-1
released
jammy
Fixed 1.3.5-1
released
impish
Fixed 1.3.4-2ubuntu0.1
released
hirsute
Fixed 1.3.4-1ubuntu0.1
released
focal
Fixed 1.2.4-1ubuntu0.1
released
bionic
Fixed 1.1.2-3ubuntu0.1
released
xenial
ignored
trusty
dne
References
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746
https://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64b7474b
https://gitlab.com/mailman/postorius/-/issues/531
https://gitlab.com/mailman/postorius/-/tags
https://phabricator.wikimedia.org/T289798
https://www.debian.org/security/2021/dsa-4970
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746
https://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64b7474b
https://gitlab.com/mailman/postorius/-/issues/531
https://gitlab.com/mailman/postorius/-/tags
https://phabricator.wikimedia.org/T289798
https://www.debian.org/security/2021/dsa-4970