** Description changed: A list moderator or list member can potentially carry out a CSRF attach - by getting a list admin to visit a crafted web page + by getting a list admin to visit a crafted web page. + + A moderator or list member can get an admindb or options page with a + CSRF token and use that token in a crafted POST request to the admin + page to change the list admin password or other settings and convince an + admin to submit the POST. + + Likewise, a list member can do the same with a POST to the admindb page + to handle requests.
-- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1952384 Title: A CSRF vulnerability could allow a list moderator or list member to access the admin UI To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1952384/+subscriptions _______________________________________________ Mailman-coders mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/mailman-coders.python.org/ Member address: [email protected]
