

SECUREDROP = 0.3 – Possible Backdoor and Privileges Escalation by Unauth User - jmedwards
http://seclists.org/bugtraq/2015/Apr/8

======
fabulist
Relevant portion of the rant:

    
    
        File /securedrop/journalist.py, lines 125-128, missing @admin_required
        decorator
        125 @app.route('/admin/add', methods=3D('GET', 'POST'))
        126 def admin_add_user():
        127     # TODO: process form submission
        128     return render_template("admin_add_user.html")
    

Ouch!

