A corrective release of the GNU Mailman 2.1.35 mailing list management system, which is used to organize communication between developers in various open source projects, has been published. The update resolves two vulnerabilities: The first vulnerability (CVE-2021-42096) allows any user subscribed to a mailing list to determine the administrator password for a given mailing list. The second vulnerability (CVE-2021-42097) allows a CSRF attack on another mailing list user to take over his account. The attack can only be carried out by a subscribed mailing list participant. The Mailman 3 product is not affected.
Both problems are caused by the fact that the csrf_token value used to protect against CSRF attacks on the "options" page always matches the administrator token, and is not generated separately for the user of the current session. When generating csrf_token, information about the administrator's password hash is used, which simplifies password brute force determination. Since a csrf_token created for one user is also suitable for another user, an attacker can create a page, when opened by another user, they can organize the execution of commands in the Mailman interface on behalf of this user and gain control of his account.
Source: opennet.ru