Description

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

Remediation

References

CVE-2021-42097

Related Vulnerabilities

Oracle JRE CVE-2013-2464 Vulnerability (CVE-2013-2464)

Dotclear Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-16358)

OpenSSL Cryptographic Issues Vulnerability (CVE-2015-3197)

Drupal Core 9.0.0 Cross-Site Request Forgery (9.0.0)

Joomla! Core 3.x.x Arbitrary File Upload (3.0.0 - 3.1.4)

Severity

High

Classification

CVE-2021-42097 CWE-352 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities