#7260 the Postorius version used for: https://lists.fedorahosted.org/ ... is stale
Closed: Duplicate 4 months ago by smooge. Opened 2 years ago by herrold.

present deployed seems to be:

Postorius Documentation • GNU Mailman • Postorius Version 1.1.2

upstream has released up to 1.2.3


  • Describe what you need us to do:

Update to a later version, as there is a an 'across panels' leak of data when two mailing lists are open and an update occurs in one ... an async status message is displayed in all panels

  • When do you need this? (YYYY/MM/DD)

no deadline -- nice to have

  • When is this no longer needed or useful? (YYYY/MM/DD)

no expiration date

  • If we cannot complete your request, what is the impact?

a cross site exploit seems to exist

to demonstrate unsubscribe from the following mailing lists

For usage: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org/

For development: https://lists.fedorahosted.org/archives/list/firewalld-devel@lists.fedorahosted.org/

then close the browser to get a fresh cache state (I use Firefox latest in CentOS)

open two tabs

choose one and enter a subscription transaction

change to the other tab

(the XSS leak is in a green box up top, saying:
Please check your inbox for further instructions

it appears in both tabs

@abompard can you take a look here?

Metadata Update from @kevin:
- Issue assigned to abompard
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: lists

2 years ago

Metadata Update from @smooge:
- Issue assigned to smooge (was: abompard)
- Issue marked as depending on: #8455

5 months ago

Metadata Update from @smooge:
- Issue unmarked as depending on: #8455

4 months ago

we are going to focus on this in 8455.

Metadata Update from @smooge:
- Issue close_status updated to: Duplicate
- Issue status updated to: Closed (was: Open)

4 months ago

Login to comment on this ticket.