Security advisory for v4.1.0 with non-superadmin users

[knadh]

Issue

The subscribers:sql_query permission check is broken, allowing non-superadmin users on an installation to query the sessions table via the GET /api/subscribers API and access the Super Admin account.

Who is affected?

Installations with non-trusted user accounts with the subscribers:get_all permission.

Mitigation
If you have non-trusted user accounts, disable the subscribers:get_all permission on them for now. This fully disables using the API to query subscribers via SQL expressions. A fix is being developed here which will be available in the upcoming v5.0.0 release.

[knadh]

This is addressed in v5.0.0.

[candidexmedia]

Hi @knadh Was this published in https://github.com/knadh/listmonk/security?

I set up notifications for Security advisories and releases in this repo, but haven't received any alerts about this since it's an Issue.

[knadh]

Hi @candidexmedia. That's only for libraries/packages/dependencies I think, not standalone repos. The form asks for a package name in a particular language (eg: Go) and does a lookup to see if the package exists.