Description
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.
References (6)
Core 6
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://gitlab.com/mailman/postorius/-/issues/531
Exploit, Patch, Third Party Advisory x_refsource_misc
https://phabricator.wikimedia.org/T289798
Third Party Advisory x_refsource_misc
https://gitlab.com/mailman/postorius/-/tags
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-4970
Patch, Third Party Advisory x_refsource_confirm
https://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64b7474b
Mailing List, Third Party Advisory x_refsource_confirm
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746
Scores
CVSS v3
5.4
EPSS
0.0021
EPSS Percentile
43.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
Status
published
Products (2)
postorius_project/postorius
< 1.3.5
pypi/postorius
0 - 1.3.5PyPI
Published
Sep 10, 2021
Tracked Since
Feb 18, 2026