Listmonk Permission Bypass Vulnerability in Multi-User Environments

A vulnerability in Listmonk, a self-hosted newsletter and mailing list manager, allows users in multi-user environments to bypass list permission checks and access lists they are not authorized to. This issue affects versions 4.1.0 prior to 6.1.0 and arises from missing permission validations in several key areas, including campaign management, subscriber handling, and CSV imports. The vulnerability has been addressed in version 6.1.0.

Impact

Exploitation of this vulnerability could lead to unauthorized access to mailing lists, allowing users to view or manage subscribers and lists they do not have permission for.

Reproduction

The vulnerability can be reproduced by a user in a multi-user environment without the necessary permissions accessing lists through various functionalities such as sending test emails, importing subscribers via CSV, using bulk management options on subscribers, or exporting subscriber information from admin, all related to lists they do not have access to.

Remediation

Users can upgrade to Listmonk version 6.1.0 to address this vulnerability.