*** This bug is a security vulnerability *** Private security bug reported: CVE-2018-5950 A crafted URL for a user options page can cause a browser to execute arbitrary script encoded in the URL. Also, in developing a fix for this issue it was discovered that a user options URL with a VARHELP query fragment would display the user options page without requiring login. No changes could be made and the settings revealed are not particularly sensitive, but this could be used to fish for membership on a list with a private roster. Thanks to Calum Hutton for the original report. ** Affects: mailman Importance: High Assignee: Mark Sapiro (msapiro) Status: In Progress ** Patch added: "Patch to fix this issue" https://bugs.launchpad.net/bugs/1747209/+attachment/5048344/+files/options.p... ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-5950 ** Description changed: CVE-2018-5950 A crafted URL for a user options page can cause a browser to execute arbitrary script encoded in the URL. Also, in developing a fix for this issue it was discovered that a user options URL with a VARHELP query fragment would display the user options page without requiring login. No changes could be made and the settings revealed are not particularly sensitive, but this could be used to fish for membership on a list with a private roster. + + Thanks to Calum Hutton for the original report. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1747209 Title: XSS vulnerability and information leak in user options CGI To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1747209/+subscriptions