Kuburitswa kwekugadzirisa kweGNU Mailman 2.1.35 mailing management system yakaburitswa, yakashandiswa kuronga kutaurirana pakati pevagadziri mumapurojekiti akasiyana-siyana akazaruka. Iyo yekuvandudza inogadzirisa kusagadzikana kuviri: Kusagadzikana kwekutanga (CVE-2021-42096) inobvumira chero mushandisi akanyoreswa kune yetsamba runyorwa kuti aone iyo admin password kune iyo yetsamba yetsamba. Kusagadzikana kwechipiri (CVE-2021-42097) kunoita kuti zvikwanise kuita kurwisa kweCSRF pane mumwe mushandisi wetsamba yetsamba kuti atore account yake. Kurwiswa uku kunogona kuitwa chete nenhengo yakanyoresa yetsamba yetsamba. Mailman 3 haana kukanganiswa nenyaya iyi.
Matambudziko ese ari maviri anokonzerwa nenyaya yekuti csrf_token kukosha kunoshandiswa kudzivirira kubva kuCSRF kurwiswa pane peji resarudzo inogara yakafanana neyekutonga tokeni, uye haina kugadzirwa zvakasiyana kune mushandisi wechikamu chazvino. Paunenge uchigadzira csrf_token, ruzivo nezve hashi ye administrator password inoshandiswa, iyo inorerutsa kutsunga kwepassword nechisimba chine simba. Sezvo csrf_token yakagadzirwa kune mumwe mushandisi inokodzerawo mumwe mushandisi, anorwisa anogona kugadzira peji iro, kana rakavhurwa nemumwe mushandisi, rinogona kuita kuti mirairo iitwe muMailman interface pachinzvimbo chemushandisi uye kuwana kutonga kweakaundi yake.
Source: opennet.ru