Fix a potentail XSS attack via the user options page.

2 files changed, 14 insertions, 0 deletions

diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 60b7d9b6..3db0a172 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -346,6 +346,8 @@ def main():
             varhelp = qs[0]
     if varhelp:
         # Sanitize the topic name.
+        while '%' in varhelp:
+            varhelp = urllib.unquote_plus(varhelp)
         varhelp = re.sub('<.*', '', varhelp)
         topic_details(mlist, doc, user, cpuser, userlang, varhelp)
         return
diff --git a/NEWS b/NEWS
index 86b09d70..184f968b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,18 @@ Copyright (C) 1998-2020 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
+2.1.36 (xx-Nov-2021)
+
+  Security
+
+    - A potential XSS attack via the user options page has been reported by
+      Harsh Jaiswal.  This is fixed.  CVE-2021-43331 (LP:#1949401)
+
+    - A potential for for a list moderator to carry out an off-line brute force
+      attack to obtain the list admin password has been reported by Andre
+      Protas, Richard Cloke and Andy Nuttall of Apple.  This is fixed.
+      CVE-2021-43332 (LP:#1949403)
+
 2.1.35 (19-Oct-2021)
 
   Security