CVE-2020-12137

Published: 24 April 2020

GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
mailman
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:2.1.26-1ubuntu0.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1:2.1.20-1ubuntu0.4)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist