OK. So by brute force attempts, trying multiple possibilities for the list name, you can discover an actual list name on the site, assuming that there are no public lists and merely visiting https://example.com/mailman/listinfo doesn't give you any list names.
So now you have a valid list name, and you go to https://example.com/mailman/edithtml/valid_list/listinfo.html?html_code=XSS%20demo - you still have to authenticate with the list admin password in order for the update to succeed. I don't see a real issue here as long as the list admin password is secure. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1884752 Title: Brute forcing to match the admin list at www.example.com//mailman/edithtml/tests/listinfo.html?html_code=XSS%20demo To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1884752/+subscriptions _______________________________________________ Mailman-coders mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/mailman-coders.python.org/ Member address: [email protected]
