https://bugzilla.suse.com/show_bug.cgi?id=1190439 Bug ID: 1190439 Summary: VUL-1: CVE-2021-40347: python-postorius: postorious -- security update Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other URL: https://smash.suse.de/issue/309778 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: asn@cryptomilk.org Reporter: gabriele.sonnu@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-40347 http://www.debian.org/security/-1/dsa-4970 https://www.debian.org/security/2021/dsa-4970 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40347 https://gitlab.com/mailman/postorius/-/tags https://gitlab.com/mailman/postorius/-/issues/531 https://phabricator.wikimedia.org/T289798 https://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d7... -- You are receiving this mail because: You are on the CC list for the bug.