Security Flaw Found in Postorius

A security flaw in Postorius, the web UI for Mailman 3, could allow attackers to inject malicious code and expose sensitive data.

A security vulnerability has been identified in Postorius, the web-based user interface for the Mailman 3 mailing list manager. The software failed to properly sanitize HTML code in the subject lines of emails displayed within the "Held messages" pop-up. This oversight creates a cross-site scripting (XSS) vulnerability, allowing an attacker to craft an email with a malicious subject line. When an administrator views this message in the queue, the embedded code executes within their browser in the context of the trusted Postorius application.

The primary risk of this vulnerability is the potential for an attacker to compromise an administrator's session. By injecting a malicious script, they could steal session cookies, capture credentials, or access other sensitive data visible on the administrator's interface. This affects any organization using Postorius to manage their Mailman 3 instance. System administrators and IT teams are the most direct targets, as their accounts hold elevated privileges that, if compromised, could lead to further unauthorized actions within the mailing list system.