CVE-2021-42097 - log back

CVE-2021-42097 edited at 21 Oct 2021 09:00:15
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Cross-site request forgery
Description
+ GNU Mailman before 2.1.35 may allow remote privilege escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).
References
+ https://mail.python.org/archives/list/mailman-announce@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/
+ https://bugs.launchpad.net/mailman/+bug/1947640
+ https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873
Notes
CVE-2021-42097 created at 21 Oct 2021 08:35:50