Skip to content
Commit 3d880c56 authored by legoktm's avatar legoktm
Browse files

Check a user owns the email they are trying to unsubscribe (CVE-2021-40347)

The list unsubscribe/ endpoint now performs validation that the user
making the request owns the email address they have requested be
unsubscribed. Without this check, any logged-in user could unsubscribe
any other email address from any list, also leaking whether that address
was subscribed in the first place.

Closes #531.
parent 1a460f92
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment