Vulnerability identifier: #VU53655
Vulnerability risk: Low
CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-285
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
HyperKitty
Web applications /
Remote management & hosting panels
Vendor: GNU
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to missing authorization checks in "management/commands/hyperkitty_import.py" during import of private mailing list's archives when migrating from Mailman 2 to Mailman 3. A remote attacker can download sensitive information during the import stage, as the archives become available to everybody.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
HyperKitty: 0.1.2 - 1.3.4 rc2
External links
http://gitlab.com/mailman/hyperkitty/-/issues/380
http://gitlab.com/mailman/hyperkitty/-/commit/9025324597d60b2dff740e49b70b15589d6804fa
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.