The LISTSERV® Maintainer's Support FAQ

Description

The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim's LISTSERV account.

Note, however, that the CVE-2022-40319 vulnerability allows someone with a LISTSERV account to edit another user's profile name only. LISTSERV and wa.exe don't currently do anything with this name field, other than displaying it on the 'edit profile' page.

Specifically, the vulnerability doesn't modify the name that appears when someone posts to a mailing list, or the name that LISTSERV identifies the user as in any other context beyond that one page.

https://nvd.nist.gov/vuln/detail/CVE-2022-40319

Mitigation

This being the case, the simplest solution is to remove the link to the page in question. This can be done by going under 'Server Administration' to 'Web Templates' editing the BODY-GLOBAL-PROFILE web template, and removing this line:

<td class="left"><input type="button" value="&+T-GLOBAL-EDIT; &+T-GLOBAL-PROFILE;" onclick="editProfile()" /></td>