CVE-2021-42097

Vulnerability

GNU Mailman versions prior to 2.1.35 contain a cross-site request forgery (CSRF) vulnerability in the user options page. The csrf_token value is not bound to a specific user session; a token generated for one user can be reused by another. This allows an authenticated list member to obtain a valid token from their own session and use it to craft a CSRF attack against another list member. The vulnerability affects all Mailman 2.1.x releases before 2.1.35 [1][2][3].

Exploitation

An attacker must be a member of the target mailing list. The attacker first obtains a csrf_token from their own session (e.g., by visiting the user options page). They then engineer a victim (another list member with an active session) to submit a crafted request containing that token, typically via a malicious link or email. Because the token is not user-specific, the server accepts it and executes the attacker's intended actions under the victim's authentication context [2].

Impact

Successful exploitation allows the attacker to perform any action the victim can perform on the Mailman web interface, including changing the victim's password, email address, or other account settings. This effectively results in account takeover. The attack is limited to list members; non-members cannot initiate it [1][3].

Mitigation

The vulnerability is fixed in Mailman 2.1.35, released on October 19, 2021 [1][3]. Users are advised to upgrade immediately. For those unable to upgrade, a patch is available from the Mailman project [1]. No other workarounds are documented.