Check a user owns the email they are trying to unsubscribe (CVE-2021-40347)
The list unsubscribe/ endpoint now performs validation that the user making the request owns the email address they have requested be unsubscribed. Without this check, any logged-in user could unsubscribe any other email address from any list, also leaking whether that address was subscribed in the first place. Closes #531.
parent
1a460f92
Please register or sign in to comment