Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2021-42097 - log back

CVE-2021-42097 edited at 21 Oct 2021 09:00:15

Severity

-	Unknown
+	Medium

Remote

-	Unknown
+	Remote

Type

-	Unknown
+	Cross-site request forgery

Description

+	GNU Mailman before 2.1.35 may allow remote privilege escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

References

+	https://mail.python.org/archives/list/mailman-announce@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/
+	https://bugs.launchpad.net/mailman/+bug/1947640
+	https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873

Notes

CVE-2021-42097 created at 21 Oct 2021 08:35:50