Check a user owns the email they are trying to unsubscribe (CVE-2021-40347) (!657) · Merge requests · GNU Mailman / Postorius

The list unsubscribe/ endpoint now performs validation that the user making the request owns the email address they have requested be unsubscribed. Without this check, any logged-in user could unsubscribe any other email address from any list, also leaking whether that address was subscribed in the first place.

Closes #531 (closed).

Edited Aug 31, 2021 by legoktm

Check a user owns the email they are trying to unsubscribe (CVE-2021-40347)

Merge request reports