listmonk icon indicating copy to clipboard operation
listmonk copied to clipboard
verified publisher icon knadh

Security advisory for v4.1.0 with non-superadmin users

Open knadh opened this issue 9 months ago • 3 comments

Issue

The subscribers:sql_query permission check is broken, allowing non-superadmin users on an installation to query the sessions table via the GET /api/subscribers API and access the Super Admin account.

Who is affected?

Installations with non-trusted user accounts with the subscribers:get_all permission.

Mitigation If you have non-trusted user accounts, disable the subscribers:get_all permission on them for now. This fully disables using the API to query subscribers via SQL expressions. A fix is being developed here which will be available in the upcoming v5.0.0 release.

knadh avatar Apr 16 '25 12:04 knadh

This is addressed in v5.0.0.

knadh avatar Apr 30 '25 05:04 knadh

Hi @knadh Was this published in https://github.com/knadh/listmonk/security?

I set up notifications for Security advisories and releases in this repo, but haven't received any alerts about this since it's an Issue.

candidexmedia avatar May 04 '25 23:05 candidexmedia

Hi @candidexmedia. That's only for libraries/packages/dependencies I think, not standalone repos. The form asks for a package name in a particular language (eg: Go) and does a lookup to see if the package exists.

knadh avatar May 09 '25 04:05 knadh