Check a user owns the email they are trying to unsubscribe (CVE-2021-40347)
The list unsubscribe/ endpoint now performs validation that the user making the request owns the email address they have requested be unsubscribed. Without this check, any logged-in user could unsubscribe any other email address from any list, also leaking whether that address was subscribed in the first place. Closes #531.
Loading
Please register or sign in to comment