#7260 the Postorius version used for: https://lists.fedorahosted.org/ ... is stale
Opened 9 months ago by herrold. Modified 8 months ago

present deployed seems to be:

Postorius Documentation • GNU Mailman • Postorius Version 1.1.2

upstream has released up to 1.2.3

https://postorius.readthedocs.io/en/latest/news.html

  • Describe what you need us to do:

Update to a later version, as there is a an 'across panels' leak of data when two mailing lists are open and an update occurs in one ... an async status message is displayed in all panels

  • When do you need this? (YYYY/MM/DD)

no deadline -- nice to have

  • When is this no longer needed or useful? (YYYY/MM/DD)

no expiration date

  • If we cannot complete your request, what is the impact?

a cross site exploit seems to exist

to demonstrate unsubscribe from the following mailing lists

For usage: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org/

For development: https://lists.fedorahosted.org/archives/list/firewalld-devel@lists.fedorahosted.org/

then close the browser to get a fresh cache state (I use Firefox latest in CentOS)

open two tabs

choose one and enter a subscription transaction

change to the other tab

(the XSS leak is in a green box up top, saying:
Please check your inbox for further instructions
)

it appears in both tabs


Metadata Update from @kevin:
- Issue assigned to abompard
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: lists

9 months ago

Login to comment on this ticket.

Metadata