CVE-2021-40347

low-risk
Published 2021-09-10

An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.

Do I need to act?

-
0.21% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Postorius

Affected Vendors

Postorius Project

References (12)

Mailing List https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746
Patch https://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64...
Exploit https://gitlab.com/mailman/postorius/-/issues/531
Third Party Advisory https://gitlab.com/mailman/postorius/-/tags
Exploit https://phabricator.wikimedia.org/T289798
Third Party Advisory https://www.debian.org/security/2021/dsa-4970
Mailing List https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746
Patch https://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64...
Exploit https://gitlab.com/mailman/postorius/-/issues/531
Third Party Advisory https://gitlab.com/mailman/postorius/-/tags
Exploit https://phabricator.wikimedia.org/T289798
Third Party Advisory https://www.debian.org/security/2021/dsa-4970
27
/ 100
low-risk
Severity 21/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal