Public bug reported:
This is essentially the same as
https://bugs.launchpad.net/mailman/+bug/1873722 except the vector is the
private archive login page and the attack only succeeds if the list's
roster visibility (private_roster) setting is 'Anyone'.
This is fixed by the attached patch.
** Affects: mailman
Importance: Low
Assignee: Mark Sapiro (msapiro)
Status: In Progress
** Patch added: "Patch to fix this issue"
https://bugs.launchpad.net/bugs/1877379/+attachment/5367829/+files/private.diff
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1877379
Title:
Arbitrary Content Injection via the private archive login page.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1877379/+subscriptions
_______________________________________________
Mailman-coders mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/mailman-coders.python.org/
Member address: [email protected]
