Your submission was sent successfully! Close

CVE-2020-12137

Published: 24 April 2020

GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
mailman
Launchpad, Ubuntu, Debian
bionic
Released (1:2.1.26-1ubuntu0.1)
eoan Ignored
(reached end-of-life)
focal
Released (1:2.1.29-1ubuntu3.1)
groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial
Released (1:2.1.20-1ubuntu0.4)