Public bug reported:
This is essentially the same as https://bugs.launchpad.net/mailman/+bug/1873722 except the vector is the private archive login page and the attack only succeeds if the list's roster visibility (private_roster) setting is 'Anyone'.
This is fixed by the attached patch.
** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: In Progress
** Patch added: "Patch to fix this issue" https://bugs.launchpad.net/bugs/1877379/+attachment/5367829/+files/private.d...
** Branch linked: lp:mailman/2.1
** Changed in: mailman Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15011