Description
listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can result in improper admin account creation. As of time of publication, no patched versions are available.
Problem types
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
References
github.com/...stmonk/security/advisories/GHSA-rf24-wg77-gq7w
