CVE-2021-40347
5.4 MEDIUMAn issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5
Published: 2021-09-10 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 5.4 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected products
| Vendor | Product |
|---|---|
| postorius_project | postorius |
Description
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-40347
- [Other]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746
- [Patch]https://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64b7474b
- [Patch]https://gitlab.com/mailman/postorius/-/issues/531
- [Other]https://gitlab.com/mailman/postorius/-/tags
- [Patch]https://phabricator.wikimedia.org/T289798
- [Other]https://www.debian.org/security/2021/dsa-4970
- [Other]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746
- [Patch]https://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64b7474b
- [Patch]https://gitlab.com/mailman/postorius/-/issues/531
- [Other]https://gitlab.com/mailman/postorius/-/tags
- [Patch]https://phabricator.wikimedia.org/T289798
- [Other]https://www.debian.org/security/2021/dsa-4970