New subject: [Bug 1877379] Re: Arbitrary Content Injection via the private archive login page.

7 May 2020

      Public bug reported:
This is essentially the same as
https://bugs.launchpad.net/mailman/+bug/1873722 except the vector is the
private archive login page and the attack only succeeds if the list's
roster visibility (private_roster) setting is 'Anyone'.
This is fixed by the attached patch.
** Affects: mailman
     Importance: Low
     Assignee: Mark Sapiro (msapiro)
         Status: In Progress
** Patch added: "Patch to fix this issue"
   https://bugs.launchpad.net/bugs/1877379/+attachment/5367829/+files/private.d...
-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1877379

Title:
  Arbitrary Content Injection via the private archive login page.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1877379/+subscriptions

[Bug 1877379] [NEW] Arbitrary Content Injection via the private archive login page.